Closed Bug 1237153 Opened 9 years ago Closed 9 years ago

Assertion failure: defaultTimeBudget_ < 4294967295U, at js/src/jsgc.cpp:1524

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1237153-default-time-budget
2.90 KB, patch
terrence
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision dd6d447fc6e0 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-ion --no-baseline): // Adapted from randomly chosen test: js/src/jit-test/tests/gc/gcparam.js gcparam("sliceTimeBudget", -1); gcparam("sliceTimeBudget"); Backtrace: 0 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100584fa4 js::gc::GCRuntime::getParameter(JSGCParamKey, js::AutoLockGC const&) + 548 (jsgc.cpp:1524) 1 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100527deb JS_GetGCParameter(JSRuntime*, JSGCParamKey) + 75 (jsapi.cpp:1477) 2 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100720861 GCParameter(JSContext*, unsigned int, JS::Value*) + 305 (Value.h:1114) 3 js-dbg-64-dm-darwin-dd6d447fc6e0 0x000000010074fdb2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236) 4 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100744ad0 Interpret(JSContext*, js::RunState&) + 48944 (Interpreter.cpp:2786) 5 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100738b1c js::RunScript(JSContext*, js::RunState&) + 412 (Interpreter.cpp:407) 6 js-dbg-64-dm-darwin-dd6d447fc6e0 0x00000001007512a7 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) + 583 (Interpreter.cpp:666) 7 js-dbg-64-dm-darwin-dd6d447fc6e0 0x000000010075168f js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 495 (RootingAPI.h:719) 8 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100531a21 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4333) 9 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100531c92 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:719) 10 js-dbg-64-dm-darwin-dd6d447fc6e0 0x000000010001e6f9 Process(JSContext*, char const*, bool, FileKind) + 3273 (js.cpp:516) 11 js-dbg-64-dm-darwin-dd6d447fc6e0 0x0000000100004c93 main + 11715 (js.cpp:6251) 12 js-dbg-64-dm-darwin-dd6d447fc6e0 0x00000001000012d4 start + 52
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6b89a7ac12de user: Terrence Cole date: Tue Aug 11 08:42:23 2015 -0700 summary: Bug 1193032 - Part 1: Rename GCRuntime::sliceBudget to defaultTimeBudget; r=jonco This iteration took 215.310 seconds to run.
Terrence, is bug 1193032 a likely regressor?
Blocks: 1193032
Flags: needinfo?(terrence)
The assertion is off by one, but it did show up the fact that ToUInt32() will succeed when given a negative number.
Assignee: nobody → jcoppeard
Attachment #8704673 - Flags: review?(terrence)
Flags: needinfo?(terrence)
Comment on attachment 8704673 [details] [diff] [review] bug1237153-default-time-budget Review of attachment 8704673 [details] [diff] [review]: ----------------------------------------------------------------- Ouch!
Attachment #8704673 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/cdd813b6f402
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: