Closed Bug 1158569 Opened 6 years ago Closed 6 years ago

Assertion failure: !zone()->runtimeFromMainThread()->isHeapMinorCollecting(), at vm/TypeInference.cpp with --unboxed-objects

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(1 file)

x = []
function g(a) {
    for (var j = 0; j < Object.getOwnPropertyNames(a).length; ++j) {
        n = []
        x.push(n)
        x.push(n)
        x.push(n)
        x.push(n)
    }
}
y = Object.getOwnPropertyNames(this)
for (var i = 0; i < 206; ++i) {
    if (y[i].charCodeAt() < 88) {
        g(SharedUint32Array)
        g(SharedUint32Array.prototype)
    }
}
g = newGlobal()
function f(z) {
    t = {
        e: 1
    }
    Function(z)()
}
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f()
f("startgc(12551)")
f()

asserts js debug shell on m-c changeset f214df6ac75f with --fuzzing-safe --no-threads --baseline-eager --unboxed-objects at Assertion failure: !zone()->runtimeFromMainThread()->isHeapMinorCollecting(), at vm/TypeInference.cpp.

Specifically this build:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015/04/2015-04-25-mozilla-central-debug/jsshell-mac64.zip

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150424042756" and the hash "afef0f347312".
The "bad" changeset has the timestamp "20150424045059" and the hash "2551d444a29b".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=afef0f347312&tochange=2551d444a29b

Brian, is bug 1157809 a likely regressor?
Flags: needinfo?(bhackett1024)
I can't reproduce this, but a stack would probably be enough to figure this out.
I couldn't reproduce either, but download the shell listed in comment 0 and you should be able to reproduce.

(Downloaded shells having no symbols are a different issue)

I seem to see this somewhat often on downloaded shells, setting [fuzzblocker].
Whiteboard: [fuzzblocker]
Attached patch patchSplinter Review
OK, this will probably fix the issue.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8598694 - Flags: review?(terrence)
Attachment #8598694 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/e709b033a56e
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.