Closed Bug 1556321 Opened 5 years ago Closed 5 years ago

Assertion failure: state == MarkingState::WeakMarking || state == MarkingState::IterativeMarking, at js/src/gc/Marking.cpp:2623

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: gkw, Assigned: sfink)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file, 1 obsolete file)

Detailed Crash Information
(deleted), text/plain
Details

The following testcase crashes on mozilla-central revision 6d71d3ca0124 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/Memory-drainAllocationsLog-13.js
const root = newGlobal({
    newCompartment: true
});
root.eval("dbg = new Debugger()");
root.dbg.addDebuggee(this);
root.dbg.memory.trackingAllocationSites = true;
// jsfunfuzz-generated
relazifyFunctions('compartment');
print(/x/);
oomTest((function() {
    String.prototype.localeCompare()
}), {
    keepFailing: true
});

Backtrace:

#0 js::GCMarker::leaveWeakMarkingMode (this=0x7f3571b1d6f8) at js/src/gc/Marking.cpp:2621
#1 0x000055cc273092f3 in js::GCMarker::abortLinearWeakMarking (this=<optimized out>) at js/src/gc/GCMarker.h:314
#2 js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry (marker=0x7f3571b1d6f8, key=<optimized out>, markable=...) at js/src/gc/WeakMap-inl.h:200
#3 0x000055cc27307412 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntries (this=<optimized out>, marker=<optimized out>) at js/src/gc/WeakMap-inl.h:245
#4 0x000055cc273062df in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::trace (this=0x7f357132acf0, trc=0x7f3571b1d6f8) at js/src/gc/WeakMap-inl.h:163
#5 0x000055cc270bc3a8 in js::ObjectRealm::trace (this=<optimized out>, trc=<optimized out>) at js/src/vm/Realm.cpp:291
#6 JS::Realm::traceRoots (this=0x7f3571b54000, trc=0x7f3571b1d6f8, traceOrMark=<optimized out>) at js/src/vm/Realm.cpp:330
/snip

For detailed crash information, see attachment.

Setting s-s as a start as this is a GC assert.

This uses the Debugger API, so likely not s-s.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/37f9bd277c34
user: Steve Fink
date: Fri May 31 23:33:48 2019 +0000
summary: Bug 1167452 - Barrier weakmap operations and maintain weak keys table during incremental collections. r=jonco

Steve, is bug 1167452 a likely regressor?

Flags: needinfo?(sphink)

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)

Steve, is bug 1167452 a likely regressor?

Yes.

This is a harmless assertion. It's from bad logic with respect to when we might abort weak marking, but it actually does the right thing in an opt build. Simple fix, does not need to be hidden.

Group: javascript-core-security
Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/585157ab153a Weak marking abort can happen during regular marking phase r=jonco
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/5ec3133f6457 Weak marking abort can happen during regular marking phase: skip if oomTest is not defined. a=test-fix CLOSED TREE

https://hg.mozilla.org/mozilla-central/rev/585157ab153a
https://hg.mozilla.org/mozilla-central/rev/5ec3133f6457

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee: nobody → sphink
status-firefox67: --- → unaffected
status-firefox68: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite+
Regressed by: 1167452
Backout by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/97ea8a900a18 Backed out 6 changesets (bug 1556321, bug 1556430, bug 1167452) for causing multiple regressions.

More information about the backout in bug 1514421.

Status: RESOLVED → REOPENED
status-firefox69: fixedaffected
Flags: needinfo?(sphink)
Resolution: FIXED → ---
Target Milestone: mozilla69 → ---

This can be closed again. It was reintroduced by the backout of this bug 1556321, but the backout of https://phabricator.services.mozilla.com/D31958 will fix it, and I won't reland without the fix here.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(sphink)
Resolution: --- → FIXED
status-firefox69: affectedfixed
Target Milestone: --- → mozilla69
Attachment #9069564 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: