Assertion failure: GetGCThingTraceKind(rope) == JSTRACE_STRING, at gc/Marking.cpp:933 or Crash [@ markIfUnmarked]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
5 years ago
22 days ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Linux
assertion, crash, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox23 unaffected, firefox24- affected, firefox-esr17 unaffected)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 18fc62fd8dcc (run with --ion-eager):


utc();
utc();
function MyDate() {
  d = '';
  this.seconds = 0;
}
function utc() {
  d = new MyDate();
  d.year <= 99;
  gc();
}
(Reporter)

Comment 1

5 years ago
Created attachment 757137 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

5 years ago
Opt-crash:


Program received signal SIGSEGV, Segmentation fault.
markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at ../gc/Heap.h:693
693             if (*word & mask)
#0  markIfUnmarked (cell=<optimized out>, this=<optimized out>, color=0) at ../gc/Heap.h:693
#1  markIfUnmarked (color=0, this=<optimized out>) at ../gc/Heap.h:982
#2  ScanRope (gcmarker=0x9023fa8, rope=0xf7540200) at js/src/gc/Marking.cpp:942
#3  0x0809eade in ScanString (gcmarker=0x9023fa8, str=<optimized out>) at js/src/gc/Marking.cpp:981
#4  processMarkStackTop (budget=..., this=<optimized out>) at js/src/gc/Marking.cpp:1404
#5  js::GCMarker::drainMarkStack (this=0x9023fa8, budget=...) at src/gc/Marking.cpp:1493
#6  0x081955d1 in DrainMarkStack (phase=js::gcstats::PHASE_MARK, sliceBudget=..., rt=0x9023e88) at js/src/jsgc.cpp:3779
#7  IncrementalCollectSlice (rt=0x9023e88, budget=<optimized out>, reason=JS::gcreason::API, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:4263
eax     0xfc0b0 1032368
=> 0x809731c <ScanRope(js::GCMarker*, JSRope*)+76>:     mov    (%eax),%edi


Marking s-s due to possibly dangerous memory access, involving GC.
Crash Signature: [@ markIfUnmarked]
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132704:88016f09b0f4
user:        Eddy Bruel
date:        Wed May 22 16:23:07 2013 -0700
summary:     Bug 637572 - Use ScriptSourceObject instead of ScriptSource; r=jimb

This iteration took 336.731 seconds to run.
(Reporter)

Comment 4

5 years ago
Needinfo from Eddy based on comment 3 :)
(Reporter)

Updated

5 years ago
Flags: needinfo?(ejpbruel)
Keywords: sec-high
status-b2g18: --- → unaffected
status-firefox23: --- → unaffected
status-firefox24: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox24: --- → +
status-b2g18: unaffected → ---
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 5

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6f32011a27ef).
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 6

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/5d35dc039af7
user:        Sankha Narayan Guria
date:        Wed Jun 05 14:17:35 2013 -0500
summary:     Bug 875433 - Array.prototype.iterator is the same function object as .values. r=jorendorff.

This iteration took 336.739 seconds to run.
(Reporter)

Comment 7

5 years ago
Sankha, did the bug in comment 6 also fix this issue?
(Reporter)

Updated

5 years ago
Flags: needinfo?(sankha93)
(Reporter)

Comment 8

5 years ago
Needinfo on Jason instead :) Maybe he can help with comment 6/7.
Flags: needinfo?(sankha93) → needinfo?(jorendorff)
Sorry. No, the bug in comment 6 almost certainly has nothing to do with this -- AND it was backed out later.
Flags: needinfo?(jorendorff)
I cannot reproduce this even in the specific revision cited, in an opt build, with --ion-eager. Is it linux-only?
Flags: needinfo?(choller)
(Reporter)

Comment 11

5 years ago
This might indeed be linux only and also 32 bit is likely required. In addition I usually configure like this:

debug: --enable-debug --enable-optimize --enable-valgrind
opt: --disable-debug --enable-optimize --enable-valgrind --enable-gczeal

(no threadsafe builds). Let me know if that works :)
Flags: needinfo?(choller)
Is this WFM or was it FIXED by Bug 875433 - Array.prototype.iterator is the same function object as .values.
marking this as WFM for now given comment#10, please reopen if needed.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
Christian, please reopen this if you can reproduce it.

Updated

4 years ago
tracking-firefox24: + → -
Clearing the needinfo on this since the bug has been marked as resolved.
Flags: needinfo?(ejpbruel)

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.