1120603 - Assertion failure: isNursery == IsInsideNursery(obj), at builtin/TestingFunctions.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(function() {
    try {
        (function() {
            gcparam('maxBytes', gcparam('gcBytes') + 1)
        })();
        h
    } catch (e) {}
})()
makeFinalizeObserver('nursery')

asserts js debug shell intermittently on m-c changeset cac64af410a1 with --fuzzing-safe --gc-zeal=7 --no-baseline --ion-offthread-compile=off --ion-eager at Assertion failure: isNursery == IsInsideNursery(obj), at builtin/TestingFunctions.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This is happening regularly, but I don't know if this assert hides anything bad, so setting s-s to be safe first, and setting needinfo? from Jon and Terrence as a start.

autoBisect is running.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x22197, 0x00000001000edf36 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`MakeFinalizeObserver(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 726 at TestingFunctions.cpp:1038, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001000edf36 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`MakeFinalizeObserver(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 726 at TestingFunctions.cpp:1038
    frame #1: 0x000000010074bdac js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(native=0x00000001000edc60)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 76 at jscntxtinlines.h:227
    frame #2: 0x000000010074bd60 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::Invoke(cx=0x0000000101c14e20, args=CallArgs at 0x00007fff5fbfe6d0, construct=<unavailable>) + 560 at Interpreter.cpp:498
    frame #3: 0x000000010076848d js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`Interpret(cx=<unavailable>, state=<unavailable>) + 49405 at Interpreter.cpp:2556
    frame #4: 0x000000010075c369 js-dbg-opt-64-dm-nsprBuild-darwin-cac64af410a1`js::RunScript(cx=0x0000000101c14e20, state=0x00007fff5fbff0d8) + 345 at Interpreter.cpp:448
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/311c6349e630
user:        Terrence Cole
date:        Tue Jan 06 15:25:26 2015 -0800
summary:     Bug 1085597 - Expose a nursery finalized class to the fuzzers for fuzzing; r=jonco

Bug 1085597 probably exposed this. Thanks for the fuzzer-friendly function!

Comment 3

[Andrew McCreight [:mccr8]]

This hasn't been enabled yet, I believe.  (In fact, I think the mentioned patch just got backed out.)

Comment 4

[Terrence Cole [:terrence]]

(In reply to Andrew McCreight [:mccr8] from comment #3)
> This hasn't been enabled yet, I believe.  (In fact, I think the mentioned
> patch just got backed out.)

I guess, on further reflection, that the presence of the other testing functions makes it impossible to guarantee nursery allocation. I think we'll just have to live with the C++ tests and accept less coverage of this feature.