1198090 - Assertion failure: CurrentThreadIsGCSweeping() || CurrentThreadIsHandlingInitFailure(), at gc/Barrier.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (let a of [
        null, function() {}, function() {}, null, function() {}, function() {},
        function() {}, null, null, null, null, null, null, null, null,
        function() {}, null, null, null, function() {}
    ]) {
    oomAtAllocation(5);
}

asserts js debug shell on m-c changeset 04b8c412d9f5 with --fuzzing-safe --no-threads --ion-eager --no-baseline at Assertion failure: CurrentThreadIsGCSweeping() || CurrentThreadIsHandlingInitFailure(), at gc/Barrier.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 04b8c412d9f5

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a9f12b317316
user:        Jon Coppeard
date:        Wed Jul 01 18:53:04 2015 +0100
summary:     Bug 1155618 - Don't retry memory allocation if we're simulating OOM r=terrence

Jon, is bug 1155618 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x88a54, 0x00000001003d0d8e js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::UnboxedLayout::~UnboxedLayout() + 52 at Barrier.h:406, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003d0d8e js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::UnboxedLayout::~UnboxedLayout() + 52 at Barrier.h:406
    frame #1: 0x00000001003d0d5a js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::UnboxedLayout::~UnboxedLayout() [inlined] js::HeapPtr<js::jit::JitCode*>::~HeapPtr() at Barrier.h:403
    frame #2: 0x00000001003d0d5a js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::UnboxedLayout::~UnboxedLayout(this=<unavailable>) + 330 at UnboxedObject.h:130
    frame #3: 0x000000010037d5f0 js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::TryConvertToUnboxedLayout(js::ExclusiveContext*, js::Shape*, js::ObjectGroup*, js::PreliminaryObjectArray*) [inlined] js::UnboxedLayout::~UnboxedLayout() + 5792 at UnboxedObject.h:120
    frame #4: 0x000000010037d5e8 js-dbg-64-dm-nsprBuild-darwin-04b8c412d9f5`js::TryConvertToUnboxedLayout(js::ExclusiveContext*, js::Shape*, js::ObjectGroup*, js::PreliminaryObjectArray*) at Utility.h:254
(lldb)

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

CC'ing :bhackett as well because unboxed stuff is on the stack.

Comment 3

[Jon Coppeard (:jonco)]

It's not that bug, no.  It's another instance of the HeapPtr destructor asserting it is being called at the wrong time.  We just need to use AutoInitGCManagedObject instead of UniquePtr when creating the UnboxedLayout object.

Comment 4

[Jon Coppeard (:jonco)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=b5dd745c7a43

Comment 5

[Jon Coppeard (:jonco)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=8879ebf2b7fc

Comment 6

[Jon Coppeard (:jonco)]

Attachment: bug1198090-unboxed-layout

Use AutoInitGCManagedObject when creating UnboxedLayout since it contains HeapPtrs.

Comment 7

[Jon Coppeard (:jonco)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/c3988a4230d27749414ec2fbd50459d595923baf
Bug 1198090 - Use AutoInitGCManagedObject when creating UnboxedLayout in TryConvertToUnboxedLayout() r=terrence

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/c3988a4230d2