Closed Bug 1570465 Opened 5 years ago Closed 5 years ago

Assertion failure: !hasBlackEntries(), at js/src/gc/Marking.cpp:2474

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: gkw, Assigned: sfink)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 1e64b8a0c546 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/gc/weak-marking-varying.js
let g = newGlobal();
g.eval('enqueueMark("set-color-gray")');
g.eval('enqueueMark("yield")');
gcslice(100000);
g.eval("");

Backtrace:

#0  js::GCMarker::setMarkColorGray (this=0x7feb634276f8) at js/src/gc/Marking.cpp:2474
#1  0x00005639d5c2a94e in js::GCMarker::setMarkColor (this=<optimized out>, newColor=<optimized out>) at js/src/gc/Marking.cpp:2469
#2  js::gc::AutoSetMarkColor::AutoSetMarkColor (this=<optimized out>, marker=..., newColor=js::gc::MarkColor::Gray) at js/src/gc/GCMarker.h:475
#3  js::GCMarker::processMarkQueue (this=0x7feb634276f8) at js/src/gc/Marking.cpp:1508
#4  0x00005639d5c2c80e in js::gc::GCRuntime::markUntilBudgetExhausted (this=<optimized out>, sliceBudget=..., phase=js::gcstats::PhaseKind::SWEEP_MARK) at js/src/gc/GC.cpp:6162
/snip

For detailed crash information, see attachment.

Setting s-s as a start as this is a GC assert.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4ad75b878827
user: Steve Fink
date: Wed Jul 24 14:29:22 2019 -0700
summary: Backed out changeset 617df479fac1 (bug 1167452)

Steve, not sure if this is correct? Which is the actual regressor?

Flags: needinfo?(sphink)
Type: task → defect

Actual regressing patch is https://hg.mozilla.org/mozilla-central/rev/d5c768b50d69599582f6bff5376fa5acc300fa3e but the regression is correct; 617df479fac1 allowed marking black during gray marking, so backing that out broke this.

This is test-only.

Group: javascript-core-security
Flags: needinfo?(sphink)

Steve, it seems that this patch is r+, is there a reason not to land it yet? (which would remove it from our regression triage list weekly meeting ;) ) Thanks

Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2909b0a1eb06
Postpone switching to gray as long as black is on the mark stack r=jonco

(In reply to Pascal Chevrel:pascalc from comment #5)

Steve, it seems that this patch is r+, is there a reason not to land it yet? (which would remove it from our regression triage list weekly meeting ;) )

Sorry, I should have left instructions. I've been on PTO for the last 8 days. I just landed it.

(Ugh, and it seems like I have my bugzilla accounts tangled up somehow.)

Flags: needinfo?(sphink)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Assignee: nobody → sphink

Doesn't sound like we need to backport this given comment 3.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: