Closed Bug 1183195 Opened 6 years ago Closed 6 years ago

Assertion failure: !nurseryKeys.empty(), at js/src/vm/ArrayBufferObject.cpp:1131 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla43
Tracking Status
firefox42 --- affected
firefox43 --- fixed

People

(Reporter: decoder, Assigned: jonco)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision eab21ec484bb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --ion-eager):

var buffer = new ArrayBuffer(100);
view = new DataView(buffer, undefined, undefined);
oomAfterAllocations(10);
view = new DataView(buffer, 20, undefined);


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000066e443 in js::InnerViewTable::sweepAfterMinorGC (this=0x7ffff696fb10, rt=rt@entry=0x7ffff6937000) at js/src/vm/ArrayBufferObject.cpp:1131
#0  0x000000000066e443 in js::InnerViewTable::sweepAfterMinorGC (this=0x7ffff696fb10, rt=rt@entry=0x7ffff6937000) at js/src/vm/ArrayBufferObject.cpp:1131
#1  0x00000000006211d2 in js::Nursery::collect (this=this@entry=0x7ffff69373b8, rt=0x7ffff6937000, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at js/src/gc/Nursery.cpp:480
#2  0x0000000000b129c5 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff6937360, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at js/src/jsgc.cpp:6405
#3  0x00000000006233f8 in js::gc::GCRuntime::evictNursery (this=0x7ffff6937360, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/gc/GCRuntime.h:610
#4  0x0000000000b776fb in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6937360, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5990
#5  0x0000000000b77c52 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6937360, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6163
#6  0x0000000000b77fb0 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff6937360, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6224
#7  0x0000000000ab8c21 in js::DestroyContext (cx=0x7ffff69831c0, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:185
#8  0x0000000000ab8f8e in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:756
#9  0x0000000000476de0 in DestroyContext (withGC=true, cx=0x7ffff69831c0) at js/src/shell/js.cpp:5745
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6542
rax	0x0	0
rbx	0x7ffff696fb10	140737330477840
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffdbd0	140737488346064
rsp	0x7fffffffdad0	140737488345808
r8	0x7ffff7fe8780	140737354041216
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7ffff6f76be0	140737336798176
r11	0x0	0
r12	0x7ffff6937000	140737330245632
r13	0x0	0
r14	0x7fffffffde50	140737488346704
r15	0x7fffffffde20	140737488346656
rip	0x66e443 <js::InnerViewTable::sweepAfterMinorGC(JSRuntime*)+1235>
=> 0x66e443 <js::InnerViewTable::sweepAfterMinorGC(JSRuntime*)+1235>:	movl   $0x46b,0x0
   0x66e44e <js::InnerViewTable::sweepAfterMinorGC(JSRuntime*)+1246>:	callq  0x4994a0 <abort()>


Looking at the code, this doesn't seem to be a security-related assertion and it also looks like this is happening at shutdown.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a2f5fa870c8a
user:        Boris Zbarsky
date:        Fri Jul 04 01:24:54 2014 -0400
summary:     Bug 966452 part 1.  Refactor the js_ReportUncaughtException to produce a (message, JSErrorReport*) pair before reporting.  r=waldo and including the fix for bug 1034616 to fix JS tests to deal with this, r=jorendorff.  r=terrence on the AutoStableStringChars bits

This iteration took 125.626 seconds to run.