Closed Bug 1127581 Opened 5 years ago Closed 5 years ago

"Assertion failure: !empty()" with startgc, oomAfterAllocations

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38

People

(Reporter: jruderman, Assigned: sfink)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Attached file stack
startgc(0);
oomAfterAllocations(0);

Assertion failure: !empty(), at Vector.h:422
This blocks fuzzing with oomAfterAllocations.
Flags: needinfo?(terrence)
Whiteboard: [fuzzblocker]
Steve, this looks like more fallout from the statistics changes.
Assignee: nobody → sphink
Flags: needinfo?(sphink)
Well, it's sort of a regression from those changes. It's actually a problem in how I avoided an UnhandleableOOM, which would otherwise break a test. Perhaps I should just have annotated the test to accept a crash, though then it would stop testing what it was testing.

Anyway, it really expects slice 0 to exist, so I should stop wiping them out when seeing an OOM. With this patch, the test case crashes on (a different) UnhandleableOOM. I think that this will be ok for the fuzzers? The problem here was that the OOM was resulting in an out-of-bounds access crash.
Attachment #8557229 - Flags: review?(terrence)
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Comment on attachment 8557229 [details] [diff] [review]
Do not clear slices when failing due to OOM

Review of attachment 8557229 [details] [diff] [review]:
-----------------------------------------------------------------

wfm
Attachment #8557229 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/530d438655f7
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.