Closed Bug 1127581 Opened 9 years ago Closed 9 years ago

"Assertion failure: !empty()" with startgc, oomAfterAllocations

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38

People

(Reporter: jruderman, Assigned: sfink)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

stack
3.13 KB, text/plain
Details
Do not clear slices when failing due to OOM
1.14 KB, patch
terrence
: review+
Details | Diff | Splinter Review
Attached file stack 
startgc(0);
oomAfterAllocations(0);

Assertion failure: !empty(), at Vector.h:422
This blocks fuzzing with oomAfterAllocations.
Flags: needinfo?(terrence)
Whiteboard: [fuzzblocker]
Steve, this looks like more fallout from the statistics changes.
Assignee: nobody → sphink
Flags: needinfo?(sphink)
Well, it's sort of a regression from those changes. It's actually a problem in how I avoided an UnhandleableOOM, which would otherwise break a test. Perhaps I should just have annotated the test to accept a crash, though then it would stop testing what it was testing.

Anyway, it really expects slice 0 to exist, so I should stop wiping them out when seeing an OOM. With this patch, the test case crashes on (a different) UnhandleableOOM. I think that this will be ok for the fuzzers? The problem here was that the OOM was resulting in an out-of-bounds access crash.
Attachment #8557229 - Flags: review?(terrence)
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Comment on attachment 8557229 [details] [diff] [review]
Do not clear slices when failing due to OOM

Review of attachment 8557229 [details] [diff] [review]:
-----------------------------------------------------------------

wfm
Attachment #8557229 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/530d438655f7
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: