gcslice(0);
evalcx("lazy");
abortgc();

(gdb) bt
#0  js::gc::GCRuntime::sweepZones (this=this@entry=0x7ffff6c18778, gcx=gcx@entry=0x7ffff6c18790, destroyingRuntime=true) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:2083
#1  0x00005555575ed24f in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff6c18778, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, budgetWasIncreased=false) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3356
#2  0x00005555575f0114 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6c18778, nonincrementalByAPI=false, budgetArg=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3841
#3  0x00005555575f12c6 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6c18778, nonincrementalByAPI=<optimized out>, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4029
#4  0x00005555575c6d48 in js::gc::GCRuntime::gc (this=0x7ffff6c18778, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:4106
#5  0x000055555708eef1 in JSRuntime::destroyRuntime (this=0x7ffff6c18000) at /home/skygentoo/trees/mozilla-central/js/src/vm/Runtime.cpp:266
#6  0x0000555556f3d056 in js::DestroyContext (cx=cx@entry=0x7ffff6c2a100) at /home/skygentoo/trees/mozilla-central/js/src/vm/JSContext.cpp:225
#7  0x00005555572a470a in JS_DestroyContext (cx=0x7ffff7c12a40 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6c2a100) at /home/skygentoo/trees/mozilla-central/js/src/jsapi.cpp:400
#8  0x0000555556c0cd07 in main::$_3::operator() (this=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12120
#9  mozilla::ScopeExit<main::$_3>::~ScopeExit (this=<optimized out>) at /home/skygentoo/shell-cache/js-dbg-64-linux-x86_64-321d39a49683/objdir-js/dist/include/mozilla/ScopeExit.h:106
#10 main (argc=<optimized out>, argv=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/shell/js.cpp:12330
(gdb)

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/2815b08bfbd2
user:        Jon Coppeard
date:        Mon Oct 17 17:09:07 2022 +0000
summary:     Bug 1791975 - Don't sweep realms that were allocated during incremental GC r=jandem

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-debug --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 321d39a49683.

Setting s-s just-in-case. Jon, is bug 1791975 a likely regressor? FYI bug 1791975 seems to be a restricted bug.

We have the same failure (49 individual occurrences) in our fuzzing CI already, first entry is from 10/18/2022 23:57. We just haven't filed it yet.

jsfunfuzz in our automation found this on Wed, 19 Oct 2022 13:49:46 +0000 (task dVHkn3rCTYOaHBVaghgIRA, crash id 6124140) with this test (unbeautified / unreduced):

try{{gcslice(3)}}catch(e){}try{"";v=evalcx("",this.g)}catch(e){}try{"";{void abortgc()}}catch(e){}

GC can be aborted in several states and zones GCRuntime::finishCollection
doesn't always get called. It's easier to clear this state in a signle place at
the start.

Setting the Severity to S2 since this is a sec-high bug and priority to P1.

Clear realm incremental marking state at the start of GC rather than at the end r=jandem
https://hg.mozilla.org/integration/autoland/rev/06a04592c4e907bd29a6d4fd919f71709d0c0920
https://hg.mozilla.org/mozilla-central/rev/06a04592c4e9

Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem

Beta/Release Uplift Approval Request

• User impact if declined: Required for uplift of bug 1791975.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is a simple change to clear the new Realm state added by bug 1791975 in a single place to ensure it always happens.
• String changes made/needed: None
• Is Android affected?: Yes

Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem

Approved for 107.0b6.

https://hg.mozilla.org/releases/mozilla-beta/rev/96590b7cd7d7

Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Required for uplift of bug 1791975.
• User impact if declined:
• Fix Landed on Version: 108 (uplifted to 107)
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is a simple change to clear the new Realm state added by bug 1791975 in a single place to ensure it always happens.

Comment on attachment 9299880 [details]
Bug 1796901 - Clear realm incremental marking state at the start of GC rather than at the end r?jandem

Approved for 102.5esr.

https://hg.mozilla.org/releases/mozilla-esr102/rev/3589b2870511