Assertion failure: zoneIsDead, at js/src/gc/GC.cpp:2083
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
People
(Reporter: gkw, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-esr102.5+])
Attachments
(2 files)
(deleted),
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-esr102+
|
Details |
(deleted),
text/plain
|
Details |
gcslice(0);
evalcx("lazy");
abortgc();
(gdb) bt
#0 js::gc::GCRuntime::sweepZones (this=this@entry=0x7ffff6c18778, gcx=gcx@entry=0x7ffff6c18790, destroyingRuntime=true) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:2083
#1 0x00005555575ed24f in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff6c18778, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, budgetWasIncreased=false) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3356
#2 0x00005555575f0114 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6c18778, nonincrementalByAPI=false, budgetArg=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3841
#3 0x00005555575f12c6 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6c18778, nonincrementalByAPI=<optimized out>, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4029
#4 0x00005555575c6d48 in js::gc::GCRuntime::gc (this=0x7ffff6c18778, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4106
#5 0x000055555708eef1 in JSRuntime::destroyRuntime (this=0x7ffff6c18000) at /home/skygentoo/trees/mozilla-central/js/src/vm/Runtime.cpp:266
#6 0x0000555556f3d056 in js::DestroyContext (cx=cx@entry=0x7ffff6c2a100) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:225
#7 0x00005555572a470a in JS_DestroyContext (cx=0x7ffff7c12a40 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6c2a100) at /home/skygentoo/trees/mozilla-central/js/src/jsapi.cpp:400
#8 0x0000555556c0cd07 in main::$_3::operator() (this=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12120
#9 mozilla::ScopeExit<main::$_3>::~ScopeExit (this=<optimized out>) at /home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-321d39a49683/objdir-js/dist/include/mozilla/ScopeExit.h:106
#10 main (argc=<optimized out>, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12330
(gdb)
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/2815b08bfbd2
user: Jon Coppeard
date: Mon Oct 17 17:09:07 2022 +0000
summary: Bug 1791975 - Don't sweep realms that were allocated during incremental GC r=jandem
Run with --fuzzing-safe --no-threads --no-baseline --no-ion
, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests
, tested on m-c rev 321d39a49683.
Setting s-s just-in-case. Jon, is bug 1791975 a likely regressor? FYI bug 1791975 seems to be a restricted bug.
Comment 1•2 years ago
|
||
We have the same failure (49 individual occurrences) in our fuzzing CI already, first entry is from 10/18/2022 23:57
. We just haven't filed it yet.
Assignee | ||
Updated•2 years ago
|
Comment 2•2 years ago
|
||
jsfunfuzz in our automation found this on Wed, 19 Oct 2022 13:49:46 +0000
(task dVHkn3rCTYOaHBVaghgIRA
, crash id 6124140
) with this test (unbeautified / unreduced):
try{{gcslice(3)}}catch(e){}try{"";v=evalcx("",this.g)}catch(e){}try{"";{void abortgc()}}catch(e){}
Updated•2 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
GC can be aborted in several states and zones GCRuntime::finishCollection
doesn't always get called. It's easier to clear this state in a signle place at
the start.
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Setting the Severity to S2 since this is a sec-high bug and priority to P1.
Updated•2 years ago
|
Comment 5•2 years ago
|
||
Clear realm incremental marking state at the start of GC rather than at the end r=jandem
https://hg.mozilla.org/integration/autoland/rev/06a04592c4e907bd29a6d4fd919f71709d0c0920
https://hg.mozilla.org/mozilla-central/rev/06a04592c4e9
Assignee | ||
Comment 6•2 years ago
|
||
Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Required for uplift of bug 1791975.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a simple change to clear the new Realm state added by bug 1791975 in a single place to ensure it always happens.
- String changes made/needed: None
- Is Android affected?: Yes
Comment 7•2 years ago
|
||
Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem
Approved for 107.0b6.
Comment 8•2 years ago
|
||
uplift |
Updated•2 years ago
|
Updated•2 years ago
|
Comment 9•2 years ago
|
||
Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Required for uplift of bug 1791975.
- User impact if declined:
- Fix Landed on Version: 108 (uplifted to 107)
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a simple change to clear the new Realm state added by bug 1791975 in a single place to ensure it always happens.
Comment 10•2 years ago
|
||
Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem
Approved for 102.5esr.
Comment 11•2 years ago
|
||
uplift |
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Updated•2 years ago
|
Updated•1 year ago
|
Description
•