Closed
Bug 1134150
Opened 9 years ago
Closed 9 years ago
Assertion failure: !zone()->runtimeFromMainThread()->isHeapMinorCollecting(), at js/src/vm/TypeInference.cpp:3794 with --unboxed-objects
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
3.73 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 09f4968d5f42 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --unboxed-objects):
gczeal(10, 2)
function Thing(a, b) {
this.a = a;
}
var array = [];
for (var i = 0; "b" || "Passed" ; i++)
array.push(new Thing(i, i + 1));
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000070ac83 in js::ObjectGroup::maybeSweep (this=this@entry=0x7ffff50570a0, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:3794
#0 0x000000000070ac83 in js::ObjectGroup::maybeSweep (this=this@entry=0x7ffff50570a0, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:3794
#1 0x00000000005b403b in maybeUnboxedLayout (this=<optimized out>) at js/src/vm/ObjectGroup.h:283
#2 unboxedLayout (this=<optimized out>) at js/src/vm/ObjectGroup.h:289
#3 layout (this=0x7ffff5100000) at js/src/vm/UnboxedObject.h:159
#4 GetObjectAllocKindForCopy (obj=0x7ffff5100000, nursery=...) at js/src/gc/Nursery.cpp:425
#5 js::Nursery::moveToTenured (this=this@entry=0x19af770, trc=trc@entry=0x7fffffffd0b0, src=src@entry=0x7ffff5100000) at js/src/gc/Nursery.cpp:634
#6 0x00000000005b4f31 in js::Nursery::MinorGCCallback (jstrc=0x7fffffffd0b0, thingp=0x7fffffffcd70, kind=<optimized out>) at js/src/gc/Nursery.cpp:760
#7 0x00000000005812a9 in MarkInternal<JSObject> (trc=trc@entry=0x7fffffffd0b0, thingp=0x7fffffffcd70) at js/src/gc/Marking.cpp:290
#8 0x000000000059a5fe in js::gc::MarkKind (trc=trc@entry=0x7fffffffd0b0, thingp=thingp@entry=0x7fffffffcd70, kind=<optimized out>) at js/src/gc/Marking.cpp:633
#9 0x000000000059a78d in MarkValueInternal (trc=0x7fffffffd0b0, v=0x1a4d748) at js/src/gc/Marking.cpp:758
#10 0x000000000059ba37 in js::gc::MarkArraySlots (trc=trc@entry=0x7fffffffd0b0, len=1101, vec=<optimized out>, name=name@entry=0xd04d41 "objectElements") at js/src/gc/Marking.cpp:909
#11 0x0000000000a50e33 in JSObject::markChildren (this=<optimized out>, trc=trc@entry=0x7fffffffd0b0) at js/src/jsobj.cpp:4095
#12 0x000000000059c0f3 in js::gc::MarkChildren (trc=trc@entry=0x7fffffffd0b0, obj=<optimized out>) at js/src/gc/Marking.cpp:1323
#13 0x0000000000755070 in js::gc::StoreBuffer::WholeCellEdges::mark (this=this@entry=0x19d10b8, trc=trc@entry=0x7fffffffd0b0) at js/src/gc/StoreBuffer.cpp:57
#14 0x00000000007a6d61 in js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::WholeCellEdges>::mark (this=this@entry=0x19b2970, owner=owner@entry=0x19af868, trc=trc@entry=0x7fffffffd0b0) at js/src/gc/StoreBuffer.cpp:94
#15 0x00000000005b576f in markWholeCells (trc=0x7fffffffd0b0, this=0x19af868) at js/src/gc/StoreBuffer.h:476
#16 js::Nursery::collect (this=this@entry=0x19af770, rt=0x19af3f0, reason=reason@entry=JS::gcreason::DEBUG_GC, pretenureGroups=pretenureGroups@entry=0x0) at js/src/gc/Nursery.cpp:812
#17 0x0000000000a431e7 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x19af718, reason=reason@entry=JS::gcreason::DEBUG_GC, pretenureGroups=pretenureGroups@entry=0x0) at js/src/jsgc.cpp:6358
#18 0x00000000005c8ce4 in js::gc::GCRuntime::evictNursery (this=0x19af718, reason=JS::gcreason::DEBUG_GC) at js/src/gc/GCRuntime.h:618
#19 0x0000000000a85728 in js::gc::GCRuntime::gcCycle (this=this@entry=0x19af718, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:5976
#20 0x0000000000a85c1d in js::gc::GCRuntime::collect (this=this@entry=0x19af718, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6149
#21 0x0000000000a86ecf in js::gc::GCRuntime::runDebugGC (this=this@entry=0x19af718) at js/src/jsgc.cpp:6592
#22 0x0000000000986f99 in CheckAllocatorState<(js::AllowGC)1> (kind=js::gc::FINALIZE_OBJECT0_BACKGROUND, cx=0x19db900) at js/src/jsgcinlines.h:447
#23 AllocateObject<(js::AllowGC)1> (clasp=0x19536a0 <js::UnboxedPlainObject::class_>, heap=js::gc::DefaultHeap, nDynamicSlots=0, kind=js::gc::FINALIZE_OBJECT0_BACKGROUND, cx=<optimized out>) at js/src/jsgcinlines.h:503
#24 NewGCObject<(js::AllowGC)1> (clasp=<optimized out>, heap=<optimized out>, nDynamicSlots=0, kind=js::gc::FINALIZE_OBJECT0_BACKGROUND, cx=<optimized out>) at js/src/jsgcinlines.h:616
#25 js::jit::NewGCObject (cx=0x19db900, allocKind=js::gc::FINALIZE_OBJECT0_BACKGROUND, initialHeap=js::gc::DefaultHeap, clasp=0x19536a0 <js::UnboxedPlainObject::class_>) at js/src/jit/VMFunctions.cpp:94
#26 0x00007ffff7e3021f in ?? ()
#27 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff50570a0 140737304162464
rcx 0xffffffffffffffff -1
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffcc40 140737488342080
rsp 0x7fffffffcba0 140737488341920
r8 0x7ffff7fe8780 140737354041216
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffc960 140737488341344
r11 0x7ffff6c27960 140737333328224
r12 0x1a453d0 27546576
r13 0x7ffff5100000 140737304854528
r14 0x7ffff5100000 140737304854528
r15 0x7ffff5100000 140737304854528
rip 0x70ac83 <js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*)+2051>
=> 0x70ac83 <js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*)+2051>: movl $0xed2,0x0
0x70ac8e <js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*)+2062>: callq 0x4046a0 <abort@plt>
|
||
Updated•9 years ago
|
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 1•9 years ago
|
||
Normally we sweep before accessing the unboxed layout because if we OOM while sweeping the layout's TypeNewScript might disappear. During tracing though, only immutable members of the UnboxedLayout are accessed (the UnboxedLayout itself is never removed from an ObjectGroup).
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8567724 -
Flags: review?(jdemooij)
|
||
Updated•9 years ago
|
Attachment #8567724 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 2•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5ccd73fbf0e6
https://hg.mozilla.org/mozilla-central/rev/5ccd73fbf0e6
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox39:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in
before you can comment on or make changes to this bug.
Description
•