Closed
Bug 914614
Opened 11 years ago
Closed 11 years ago
Crash [@ js::gc::StartVerifyPreBarriers] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: decoder, Assigned: terrence)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
507 bytes,
text/plain
|
Details | |
|
4.43 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe): gczeal(4); oomAfterAllocations(1); var s = new Set;
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
I'm not hitting this one too often, but when I'm trying to isolate another, more important OOM bug, I often end up hitting this one.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/0b4e06782cda user: Steve Fink date: Mon May 20 12:59:55 2013 -0700 summary: Bug 872823 - implement oomAfterAllocations testing function This iteration took 325.707 seconds to run.
|
Assignee | |
Comment 4•11 years ago
|
||
I don't think that bug is the likely culprit, will try to investigate further today.
Assignee: general → terrence
|
|
Assignee | |
Comment 5•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df This is failing the alloc for the verifier data, which is not currently guarded against OOM. With GGC enabled, this migrates into the middle of Nursery::collect, where OOM is immediately fatal. To address the test failure on SM(ggc), I've added an AutoEnterOOMUnsafeRegion, which disables OOM debugging while live.
Attachment #807447 -
Flags: review?(wmccloskey)
Comment on attachment 807447 [details] [diff] [review] fuzz_914614-v0.diff Review of attachment 807447 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the late review. ::: js/public/Utility.h @@ +80,5 @@ > extern JS_PUBLIC_DATA(uint32_t) OOM_maxAllocations; /* set in builtins/TestingFunctions.cpp */ > extern JS_PUBLIC_DATA(uint32_t) OOM_counter; /* data race, who cares. */ > > +/* Disable OOM testing in sections which are not OOM safe. */ > +class JS_PUBLIC_API(AutoEnterOOMUnsafeRegion) There's no reason this needs to be part of the public API. Can you move it somewhere else? I think jsgc.h would be fine for now. Also, it should be in a the js:: namespace.
Attachment #807447 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
Right, OOM_max_allocations is extern, so we can set it from wherever. Thanks, Bill, that's much nicer! https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df https://hg.mozilla.org/integration/mozilla-inbound/rev/009c19c0af05
https://hg.mozilla.org/mozilla-central/rev/009c19c0af05
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in
before you can comment on or make changes to this bug.
Description
•