Assertion failure: CurrentThreadIsGCSweeping(), at gc/Barrier.h involving oomAfterAllocations

RESOLVED FIXED in Firefox 40

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla40
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox40 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
"".search(function() {})
r = /x/
x = [/y/]
oomAfterAllocations(5)
x.v = function() {}
a = /z/

asserts js debug shell on m-c changeset eb3a1c0262e4 with --fuzzing-safe --no-threads --no-baseline --ion-eager at Assertion failure: CurrentThreadIsGCSweeping(), at gc/Barrier.h.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r eb3a1c0262e4

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150409100834" and the hash "e1fc8574a62e".
The "bad" changeset has the timestamp "20150409101534" and the hash "909e17a7edb7".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e1fc8574a62e&tochange=909e17a7edb7

Jon, is bug 1149526 a likely regressor?
Flags: needinfo?(jcoppeard)
(Reporter)

Comment 1

3 years ago
Created attachment 8591184 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x1d735b, 0x0000000100281ccf js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared() + 52 at Barrier.h:519, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100281ccf js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared() + 52 at Barrier.h:519
    frame #1: 0x0000000100281c9b js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared() [inlined] js::HeapPtr<js::jit::JitCode*>::~HeapPtr() at Barrier.h:518
    frame #2: 0x0000000100281c9b js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared() at RegExpObject.h:126
    frame #3: 0x0000000100281c9b js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared() [inlined] js::RegExpShared::RegExpCompilation::~RegExpCompilation() at RegExpObject.h:126
    frame #4: 0x0000000100281c9b js-dbg-64-dm-nsprBuild-darwin-eb3a1c0262e4`js::RegExpShared::~RegExpShared(this=<unavailable>) + 171 at RegExpObject.cpp:575
(lldb)
(Assignee)

Comment 2

3 years ago
Created attachment 8591519 [details] [diff] [review]
bug1153498-reg-exp-fuzz-bug

The fuzzers found that RegExpShared can get destroyed outside of GC too.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8591519 - Flags: review?(terrence)
Comment on attachment 8591519 [details] [diff] [review]
bug1153498-reg-exp-fuzz-bug

Review of attachment 8591519 [details] [diff] [review]:
-----------------------------------------------------------------

By the name, I guess RegexpShared would probably be better off as a GC thing in the long run.
Attachment #8591519 - Flags: review?(terrence) → review+
(Assignee)

Comment 4

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/607cfbb06eb8
Backed out for making WinXP debug jit-tests perma-timeout.
https://hg.mozilla.org/integration/mozilla-inbound/rev/6e139783c7cf

https://treeherder.mozilla.org/logviewer.html#?job_id=8812061&repo=mozilla-inbound
(Assignee)

Comment 6

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b4011af12ee9
(Assignee)

Updated

3 years ago
Depends on: 1154692
https://hg.mozilla.org/mozilla-central/rev/b4011af12ee9
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.