Closed Bug 1717405 Opened 3 years ago Closed 3 years ago

Assertion failure: map->asLinked()->canSkipMarkingTable(), at gc/Marking.cpp:1569

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- unaffected
firefox90 --- unaffected
firefox91 --- verified

People

(Reporter: decoder, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisect])

Attachments

(2 files)

Testcase
(deleted), text/plain
Details
Bug 1717405 - Trigger pre-barrier before mutating the table. r?jonco!
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 20210620-95970359b68e (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

gczeal(4)
for (;;) {
    a = 37
    b = {}
    do {
        c = Math.random()
        b[c] = a--
    } while (a)
}

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x5840a0fc in js::GCMarker::eagerlyMarkChildren(js::PropMap*) ()
#1  0x5844de2e in auto JS::MapGCThingTyped<js::GCMarker::traceBarrieredCell(JS::GCCellPtr)::$_7&>(JS::GCCellPtr, js::GCMarker::traceBarrieredCell(JS::GCCellPtr)::$_7&) ()
#2  0x5841ff28 in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) ()
#3  0x584063aa in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) ()
#4  0x58406636 in js::gc::PerformIncrementalBarrier(js::gc::TenuredCell*) ()
#5  0x57ea704b in js::SharedPropMap::addPropertyInternal(JSContext*, JS::MutableHandle<js::SharedPropMap*>, unsigned int*, JS::Handle<JS::PropertyKey>, js::PropertyInfoBase<unsigned int>) ()
#6  0x57ea6a6b in js::SharedPropMap::addProperty(JSContext*, JSClass const*, JS::MutableHandle<js::SharedPropMap*>, unsigned int*, JS::Handle<JS::PropertyKey>, js::PropertyFlags, js::EnumFlags<js::ObjectFlag>*, unsigned int*) ()
#7  0x57efdcff in js::NativeObject::addProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, js::PropertyFlags, unsigned int*) ()
#8  0x57e76463 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) ()
#9  0x57b532af in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) ()
#10 0x57b4d4aa in js::SetObjectElement(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, bool) ()
#11 0x5894cb54 in js::jit::IonSetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonSetPropertyIC*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) ()
#12 0x3577929e in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax	0x56758d6f	1450544495
ebx	0x590013ec	1493177324
ecx	0x59002d6c	1493183852
edx	0xf7b58cc7	-139096889
esi	0x0	0
edi	0xf04575b0	-263883344
ebp	0xfffd2878	4294781048
esp	0xfffd2840	4294780992
eip	0x5840a0fc <js::GCMarker::eagerlyMarkChildren(js::PropMap*)+1196>
=> 0x5840a0fc <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_7PropMapE+1196>:	movl   $0x621,0x0
   0x5840a106 <_ZN2js8GCMarker19eagerlyMarkChildrenEPNS_7PropMapE+1206>:	call   0x57a4870e <abort>
Severity: -- → S2
Attached file Testcase (deleted) —

This is probably related to the recent PropMap work.

Flags: needinfo?(jdemooij)

I'll take a look. This is probably a false positive though, the canSkipMarkingTable assertion seems overly strict and keeps biting me when making changes in this area.

Flags: needinfo?(jdemooij)
Group: javascript-core-security
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7aacd5400052 Trigger pre-barrier before mutating the table. r=jonco

https://hg.mozilla.org/mozilla-central/rev/7aacd5400052

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox91: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
status-firefox89: --- → unaffected
status-firefox90: --- → unaffected
status-firefox-esr78: --- → unaffected
Flags: in-testsuite+
Regressed by: 1715512
Has Regression Range: --- → yes

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210622212907-536a892dd51f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox91: fixedverified
Keywords: bugmon

This test case seems to be failing intermittently as Bug 1717717

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: