Created attachment 558192 [details]
Test case for shell (see README file inside).
The attached test asserts on mozilla-central revision a351ae35f2c4 (with shell build fix from mozilla-inbound rev fff3dc9478ce). See README for options and running instructions. This test only works on 32 bit debug builds.
Stepping through the assert will crash:
Program received signal SIGSEGV, Segmentation fault.
0x0805a65b in js::gc::ArenaHeader::allocated (this=0xdadad000) at ../../jsgc.h:391
391 JS_ASSERT(allocKind <= FINALIZE_LIMIT);
A GC gets triggered in the middle of the FindReferences shell-only debugging function, when a call to JS_SetElement allocates some shapes. FindReferences uses a GC tracer to walk the heap, and after the GC it winds up with a garbage value in its worklist (don't know why, but one possibility is a shifting set of conservative roots caused previously reachable things to become unreachable and get collected).
Can someone with the right bits remove the s-s?
I didn't see that FindReferences is involved here. My question would be if FindReferences is generally harmful (and should be deleted in fuzz driver before testing) or if this is a real bug and FindReferences is generally safe.
(In reply to Christian Holler (:decoder) from comment #2)
> I didn't see that FindReferences is involved here. My question would be if
> FindReferences is generally harmful (and should be deleted in fuzz driver
> before testing) or if this is a real bug and FindReferences is generally
This is a real bug, FindReferences should not be crashing here or anywhere. However, until this gets fixed you might want to blacklist FindReferences from the fuzzer, as even if a GC crashing testcase uses FindReferences there isn't a simple way to tell it is crashing *because* of the FindReferences.
Created attachment 573028 [details] [diff] [review]
Make HeapReverser itself root all nodes referred to by roots.
I can't reproduce this bug myself, but if bhackett's analysis is correct, I'd expect this to fix the problem. Explanation in the comments.
(That is, I started with a351ae35f2c4, applied the patch in fff3dc9478ce, build as a 32-bit executable, and then ran the test case according to the README, and didn't get an assertion. Not too surprising, if it indeed is a conservative scanning issue.)
*** Bug 700189 has been marked as a duplicate of this bug. ***
Do we care about this for Fx9 (with TI) or could we ship as-is?
(In reply to Christian Legnitto [:LegNeato] from comment #9)
> Do we care about this for Fx9 (with TI) or could we ship as-is?
The bug and fix are both in a shell-only debugging function so it doesn't affect Fx9.