1104162 - Assertion failure: !phaseStartTimes[phase], at gc/Statistics.cpp

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Random chosen test: js/src/jit-test/tests/gc/bug-880776.js
gczeal(11);
// Random chosen test: js/src/jit-test/tests/debug/breakpoint-multi-03.js
g = newGlobal()
g.eval("undefined;function f(){}")
Debugger(g).onDebuggerStatement = function(x) {
    x.eval("f").return.script.setBreakpoint(0, {})
}
g.eval("debugger")

asserts js debug shell on m-c changeset b8240bb9ae4f with --no-ion --no-threads at Assertion failure: !phaseStartTimes[phase], at gc/Statistics.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/8c02f3280d0c/js/src/jit-test/tests/gc/bug-880776.js
http://hg.mozilla.org/mozilla-central/file/8c02f3280d0c/js/src/jit-test/tests/debug/breakpoint-multi-03.js

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20141121140649" and the hash "59f27b833c36".
The "bad" changeset has the timestamp "20141121141302" and the hash "b261745c586a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=59f27b833c36&tochange=b261745c586a

Steve, is bug 1088831 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x3eeab2, 0x00000001001954da js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::gcstats::Statistics::beginPhase(this=<unavailable>, phase=<unavailable>) + 442 at Statistics.cpp:873, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001001954da js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::gcstats::Statistics::beginPhase(this=<unavailable>, phase=<unavailable>) + 442 at Statistics.cpp:873
    frame #1: 0x00000001001995ed js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::gc::GCRuntime::endVerifyPostBarriers() [inlined] js::gcstats::AutoPhase::AutoPhase(this=0x00000001020262b0, stats=<unavailable>, phase=<unavailable>) + 189 at Statistics.h:262
    frame #2: 0x00000001001995c0 js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::gc::GCRuntime::endVerifyPostBarriers() [inlined] js::gcstats::AutoPhase::AutoPhase(this=0x00000001020262b0, stats=<unavailable>, phase=<unavailable>) at Statistics.h:263
    frame #3: 0x00000001001995c0 js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::gc::GCRuntime::endVerifyPostBarriers(this=0x000000010201ff48) + 144 at Verifier.cpp:507
    frame #4: 0x00000001001748ca js-dbg-opt-64-dm-nsprBuild-darwin-b8240bb9ae4f`js::Nursery::collect(JSRuntime*, JS::gcreason::Reason, js::Vector<js::types::TypeObject*, 0ul, js::SystemAllocPolicy>*) [inlined] js::gc::AutoStopVerifyingBarriers::AutoStopVerifyingBarriers(rt=0x000000010201fc00, isShutdown=<unavailable>) + 22 at GCInternals.h:115
(lldb)

Comment 2

[Jon Coppeard (:jonco)]

Attachment: bug1104162-phase-assertion

The problem is that GCRuntime::endVerifyPostBarriers() enters the PHASE_MINOR_GC stats phase, but can be called from within minor GC.

The patch changes where minor GC enters this phase to be after endVerifyPostBarriers() has been called.

Comment 3

[Jon Coppeard (:jonco)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/325de614e5ba

Comment 4

[Steve Fink [:sfink] [:s:]]

Thanks, Jon.

Comment 5

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/325de614e5ba