1148925 - Assertion failure: zone->runtimeFromAnyThread()->gc.nursery.isEmpty(), at jsgcinlines.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: jit-test/tests/debug/Memory-onGarbageCollection-04.js
x = newGlobal()
y = Debugger(x)
y.memory.onGarbageCollection = (function() {});
gcslice(2)
// Randomly chosen test: js/src/jit-test/tests/debug/Debugger-findScripts-20.js
y.findScripts()

asserts js debug shell on m-c changeset 385840329d91 with --fuzzing-safe --no-threads --no-ion at Assertion failure: zone->runtimeFromAnyThread()->gc.nursery.isEmpty(), at jsgcinlines.h.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 385840329d91

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/578ba1506156
user:        Nick Fitzgerald
date:        Fri Mar 13 13:03:00 2015 +0100
summary:     Bug 1137844 - Part 3: Fire the Debugger.Memory.prototype.onGarbageCollection hook after GCs; r=sfink

Nick, is bug 1137844 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0xc727f, 0x0000000100880d31 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::gc::ZoneCellIterUnderGC::ZoneCellIterUnderGC(this=<unavailable>, zone=<unavailable>, kind=<unavailable>) + 241 at jsgcinlines.h:260, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100880d31 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::gc::ZoneCellIterUnderGC::ZoneCellIterUnderGC(this=<unavailable>, zone=<unavailable>, kind=<unavailable>) + 241 at jsgcinlines.h:260
    frame #1: 0x000000010019cf8f js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::IterateScripts(JSRuntime*, JSCompartment*, void*, void (*)(JSRuntime*, void*, JSScript*)) [inlined] JSCompartment::zone(this=0x0000000000000000, this=<unavailable>, zone=<unavailable>, kind=<unavailable>) + 21 at jsgcinlines.h:263
    frame #2: 0x000000010019cf7a js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::IterateScripts(rt=0x0000000102861000, compartment=0x0000000102883000, data=0x00007fff5fbfd9c8, scriptCallback=0x0000000100285110)(JSRuntime*, void*, JSScript*)) + 122 at Iteration.cpp:101
    frame #3: 0x0000000100247cd3 js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::Debugger::ScriptQuery::findScripts(this=0x00007fff5fbfd9c8, v=0x00007fff5fbfd918) + 243 at Debugger.cpp:3410
    frame #4: 0x00000001001f3c8d js-dbg-64-dm-nsprBuild-darwin-385840329d91`js::Debugger::findScripts(cx=0x00000001028a5180, argc=<unavailable>, vp=0x00000001039950a0) + 909 at Debugger.cpp:3662
(lldb)

Comment 2

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

Yeah, this is because we shouldn't be calling back into JS at the end of a GC like we are in the onGarbageCollection hook. I'm working on a patch to dispatch runnables to gecko that call back into SM to fire the hook.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Assigning to :fitzgen as per comment 2.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision f578b845c4b8).

Comment 5

[Nick Fitzgerald [:fitzgen] [⏰PST; UTC-8]]

Fixed in bug 1150253