Closed Bug 1136717 Opened 9 years ago Closed 8 years ago

Assertion failure: phaseNestingDepth == 0, at js/src/gc/Statistics.cpp:1044

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1218900
Tracking Flags:
Tracking Status
firefox39 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:]) 

The following testcase crashes on mozilla-central revision 0a8b3b67715a (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe):

for (var i = 0; i < 9; i++)
  startTimingMutator();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000073cf91 in js::gcstats::Statistics::startTimingMutator (this=<optimized out>) at js/src/gc/Statistics.cpp:1044
1044	    MOZ_ASSERT(phaseNestingDepth == 0);
#0  0x000000000073cf91 in js::gcstats::Statistics::startTimingMutator (this=<optimized out>) at js/src/gc/Statistics.cpp:1044
#1  0x000000000040638f in StartTimingMutator (cx=<optimized out>, argc=<optimized out>, vp=0x1af6b40) at js/src/shell/js.cpp:1830
#2  0x0000000000622784 in js::CallJSNative (cx=0x1a2acb0, native=0x406370 <StartTimingMutator(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:226
#3  0x00000000006021d0 in js::Invoke (cx=0x1a2acb0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498
#4  0x00000000005f7e72 in Interpret (cx=0x1a2acb0, state=...) at js/src/vm/Interpreter.cpp:2601
#5  0x000000000060188b in js::RunScript (cx=cx@entry=0x1a2acb0, state=...) at js/src/vm/Interpreter.cpp:448
#6  0x0000000000601a39 in js::ExecuteKernel (cx=cx@entry=0x1a2acb0, script=script@entry=0x7ffff475d128, scopeChainArg=(JSObject &) @0x7ffff4759060 [object global] delegate, thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:654
#7  0x0000000000601f50 in js::Execute (cx=0x1a2acb0, script=0x7ffff475d128, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:691
#8  0x0000000000a2191b in ExecuteScript (cx=0x1a2acb0, obj=(JSObject * const) 0x7ffff4759060 [object global] delegate, scriptArg=0x7ffff475d128, rval=0x0) at js/src/jsapi.cpp:3994
#9  0x0000000000419386 in RunFile (compileOnly=false, file=0x1b0e820, filename=0x7fffffffe0aa "min.js", obj=..., cx=0x1a2acb0) at js/src/shell/js.cpp:457
#10 Process (cx=cx@entry=0x1a2acb0, obj_=<optimized out>, filename=0x7fffffffe0aa "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:590
#11 0x0000000000426342 in ProcessArgs (op=0x7fffffffdb60, obj_=<optimized out>, cx=0x1a2acb0) at js/src/shell/js.cpp:5780
#12 Shell (op=0x7fffffffdb60, cx=0x1a2acb0, envp=<optimized out>) at js/src/shell/js.cpp:6020
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6362
rax	0x0	0
rbx	0x1af6b40	28273472
rcx	0x7ffff6cb2f4d	140737333899085
rdx	0x0	0
rsi	0x7ffff6f86a80	140737336863360
rdi	0x7ffff6f85180	140737336856960
rbp	0x7fffffffc4d0	140737488340176
rsp	0x7fffffffc4d0	140737488340176
r8	0x7ffff7fe8740	140737354041152
r9	0x72746e65632d616c	8247338199356891500
r10	0x7fffffffc260	140737488339552
r11	0x7ffff6c3a940	140737333406016
r12	0x7fffffffcb30	140737488341808
r13	0x0	0
r14	0x406370	4219760
r15	0x1a2acc8	27438280
rip	0x73cf91 <js::gcstats::Statistics::startTimingMutator()+97>
=> 0x73cf91 <js::gcstats::Statistics::startTimingMutator()+97>:	movl   $0x414,0x0
   0x73cf9c <js::gcstats::Statistics::startTimingMutator()+108>:	callq  0x404ac0 <abort@plt>

Shell-only issue.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b261745c586a
user:        Steve Fink
date:        Tue Nov 18 11:26:11 2014 -0800
summary:     Bug 1088831 - Count storebuffer overflows, account for minor GCs, and implement timed regions, r=jonco

This iteration took 152.713 seconds to run.
Needinfo from sfink based on comment 1 :)
Flags: needinfo?(sphink)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e1ef2be156de).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/40fdcdc3dfbb
user:        Jon Coppeard
date:        Fri Oct 30 09:50:06 2015 +0000
summary:     Bug 1218900 - Make shell function startTimingMutator() fail with an error rather than asserting when called at the wrong time r=sfink

This iteration took 284.975 seconds to run.
Jon, I'm guessing this bug might be a dupe of bug 1218900?
Flags: needinfo?(sphink) → needinfo?(jcoppeard)
Yes, it's the same issue - the test case is equivalent to the one in bug 1218900 comment 4.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.