Closed Bug 1470979 Opened 6 years ago Closed 6 years ago

Assertion failure: CurrentThreadCanAccessZone(zone), at js/src/gc/Cell.h:354 with GC and off-thread ion compilation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1470732
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:][adv-main62-])

Attachments

(1 file)

Testcase
(deleted), text/plain
Details
The following testcase crashes on mozilla-central revision d69b7fc884fb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --cpu-count=2 --ion-eager --ion-extra-checks --nursery-strings=on): See attachment. Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x082ce266 in js::gc::TenuredCell::zone (this=0xf570a1c8) at js/src/gc/Cell.h:354 #1 0x087940f2 in BuilderMatches::match (zone=0xf661c000, this=0xffb7d490) at js/src/vm/HelperThreads.cpp:272 #2 mozilla::detail::VariantImplementation<unsigned char, 2u, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations>::match<IonBuilderMatches(const CompilationSelector&, js::jit::IonBuilder*)::BuilderMatches&, const mozilla::Variant<JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations> > (aV=..., aMatcher=...) at /dist/include/mozilla/Variant.h:250 #3 mozilla::detail::VariantImplementation<unsigned char, 1u, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations>::match<IonBuilderMatches(const CompilationSelector&, js::jit::IonBuilder*)::BuilderMatches&, const mozilla::Variant<JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations> > (aV=..., aMatcher=...) at dist/include/mozilla/Variant.h:262 #4 mozilla::detail::VariantImplementation<unsigned char, 0u, JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations>::match<IonBuilderMatches(const CompilationSelector&, js::jit::IonBuilder*)::BuilderMatches&, const mozilla::Variant<JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations> >(BuilderMatches &, const mozilla::Variant<JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations> &) (aMatcher=..., aV=...) at dist/include/mozilla/Variant.h:262 #5 0x087a775e in mozilla::Variant<JSScript*, JS::Realm*, JS::Zone*, js::ZonesInState, JSRuntime*, js::CompilationsUsingNursery, js::AllCompilations>::match<IonBuilderMatches(const CompilationSelector&, js::jit::IonBuilder*)::BuilderMatches> (this=0x0) at dist/include/mozilla/Variant.h:725 #6 IonBuilderMatches (builder=0xf5be70f8, selector=...) at js/src/vm/HelperThreads.cpp:285 #7 CancelOffThreadIonCompileLocked (selector=..., discardLazyLinkList=discardLazyLinkList@entry=true, lock=...) at js/src/vm/HelperThreads.cpp:325 #8 0x087a7a7a in js::CancelOffThreadIonCompile (selector=..., discardLazyLinkList=true) at js/src/vm/HelperThreads.cpp:354 #9 0x08b96336 in js::CancelOffThreadIonCompile (zone=<optimized out>) at js/src/vm/HelperThreads.h:573 #10 js::Nursery::collect (this=0xf6611110, reason=JS::gcreason::OUT_OF_NURSERY) at js/src/gc/Nursery.cpp:780 #11 0x08b3a46e in js::gc::GCRuntime::minorGC (this=0xf660f430, reason=JS::gcreason::OUT_OF_NURSERY, phase=js::gcstats::PhaseKind::MINOR_GC) at js/src/gc/GC.cpp:7886 #12 0x08b7a2cf in js::gc::GCRuntime::tryNewNurseryString<(js::AllowGC)1> (this=0xf660f430, cx=0xf6618800, thingSize=16, kind=js::gc::AllocKind::STRING) at js/src/gc/Allocator.cpp:150 #13 0x08b7cdd9 in js::AllocateString<JSString, (js::AllowGC)1> (cx=0xf6618800, heap=js::gc::DefaultHeap) at js/src/gc/Allocator.cpp:187 #14 0x088f407d in js::Allocate<JSRope, (js::AllowGC)1> (heap=js::gc::DefaultHeap, cx=0xf6618800) at js/src/gc/Allocator.h:47 #15 JSRope::new_<(js::AllowGC)1> (heap=js::gc::DefaultHeap, length=80978, right=..., left=..., cx=0xf6618800) at js/src/vm/StringType-inl.h:130 #16 js::ConcatStrings<(js::AllowGC)1> (cx=0xf6618800, left=..., right=...) at js/src/vm/StringType.cpp:768 #17 0x2743c243 in ?? () eax 0x0 0 ebx 0x8ec8ff4 149721076 ecx 0xf74c0864 -146012060 edx 0x0 0 esi 0xf5b57800 -172656640 edi 0xf5be70f8 -172068616 ebp 0xffb7d418 4290237464 esp 0xffb7d410 4290237456 eip 0x82ce266 <js::gc::TenuredCell::zone() const+86> => 0x82ce266 <js::gc::TenuredCell::zone() const+86>: movl $0x0,0x0 0x82ce270 <js::gc::TenuredCell::zone() const+96>: ud2 Again, highly intermittent GC bug, only reproduces on debug 32-bit build. Marking s-s.
Attached file Testcase (deleted) —
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
This issue is likely to be fixed by the patch Jon reviewed in Bug 1470732. (because of CancelOffThreadIonCompileLocked frame on the stack)
Blocks: 1437600
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:] → [jsbugmon:][adv-main62-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: