Closed Bug 1258407 Opened 8 years ago Closed 8 years ago

Assertion failure: amount > 0, at js/src/jsgc.cpp:1922

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision f14898695ee0 (build with --32 --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1254108.js
gcparam("lowFrequencyHeapGrowth", 0x22222222);

Backtrace:

#0  js::gc::ZoneHeapThreshold::updateForRemovedArena (this=0xf715ac20, tunables=...) at js/src/jsgc.cpp:1922
#1  0x08534e59 in js::gc::GCRuntime::releaseArena (this=0xf7129250, arena=0xf3648000, lock=...) at js/src/jsgc.cpp:1101
#2  0x08559776 in ReleaseArenaList (lock=..., arena=<optimized out>, rt=0xf7129000) at js/src/jsgc.cpp:2863
#3  js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0xf7129250, zones=..., threadType=threadType@entry=js::BackgroundThread, freeBlocks=...) at js/src/jsgc.cpp:3416
#4  0x085599d6 in js::gc::GCRuntime::sweepBackgroundThings (threadType=js::BackgroundThread, freeBlocks=..., zones=..., this=<optimized out>) at js/src/jsgc.cpp:3657
#5  js::GCHelperState::doSweep (this=0xf712b4bc, lock=...) at js/src/jsgc.cpp:3657
#6  0x08559b9a in js::GCHelperState::work (this=0xf712b4bc) at js/src/jsgc.cpp:3540
#7  0x086d6fd6 in js::HelperThread::handleGCHelperWorkload (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1671
#8  0x086dcda9 in js::HelperThread::threadLoop (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1735
#9  0x08707029 in nspr::Thread::ThreadRoutine (arg=0xf7107220) at js/src/vm/PosixNSPR.cpp:45
#10 0xf775817f in start_thread (arg=0xf5569b40) at pthread_create.c:333
#11 0xf7499f8e in clone () from /lib32/libc.so.6
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/794a18afbb25
user:        Jon Coppeard
date:        Tue Jan 05 15:07:58 2016 +0000
summary:     Bug 1236564 - Fix various minor issues with getting/setting GC parameters r=terrence

Jon, is bug 1236564 a likely regressor?
Blocks: 1236564
Flags: needinfo?(jcoppeard)
I can't immediately reproduce this, but I think the best thing to do is enforce some limits on these GC parameters.  0x22222222 will never be a useful heap growth factor.
This feels a bit arbitrary, but let's limit the heap growth factor to 100.  That's already too large to be a useful value.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8733418 - Flags: review?(sphink)
Comment on attachment 8733418 [details] [diff] [review]
bug1258407-limit-heap-growth-param

Review of attachment 8733418 [details] [diff] [review]:
-----------------------------------------------------------------

WFM
Attachment #8733418 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/af33c9781912
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.