If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Assertion failure: amount > 0, at js/src/jsgc.cpp:1922

RESOLVED FIXED in Firefox 48

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla48
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision f14898695ee0 (build with --32 --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1254108.js
gcparam("lowFrequencyHeapGrowth", 0x22222222);

Backtrace:

#0  js::gc::ZoneHeapThreshold::updateForRemovedArena (this=0xf715ac20, tunables=...) at js/src/jsgc.cpp:1922
#1  0x08534e59 in js::gc::GCRuntime::releaseArena (this=0xf7129250, arena=0xf3648000, lock=...) at js/src/jsgc.cpp:1101
#2  0x08559776 in ReleaseArenaList (lock=..., arena=<optimized out>, rt=0xf7129000) at js/src/jsgc.cpp:2863
#3  js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0xf7129250, zones=..., threadType=threadType@entry=js::BackgroundThread, freeBlocks=...) at js/src/jsgc.cpp:3416
#4  0x085599d6 in js::gc::GCRuntime::sweepBackgroundThings (threadType=js::BackgroundThread, freeBlocks=..., zones=..., this=<optimized out>) at js/src/jsgc.cpp:3657
#5  js::GCHelperState::doSweep (this=0xf712b4bc, lock=...) at js/src/jsgc.cpp:3657
#6  0x08559b9a in js::GCHelperState::work (this=0xf712b4bc) at js/src/jsgc.cpp:3540
#7  0x086d6fd6 in js::HelperThread::handleGCHelperWorkload (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1671
#8  0x086dcda9 in js::HelperThread::threadLoop (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1735
#9  0x08707029 in nspr::Thread::ThreadRoutine (arg=0xf7107220) at js/src/vm/PosixNSPR.cpp:45
#10 0xf775817f in start_thread (arg=0xf5569b40) at pthread_create.c:333
#11 0xf7499f8e in clone () from /lib32/libc.so.6
(Reporter)

Comment 1

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/794a18afbb25
user:        Jon Coppeard
date:        Tue Jan 05 15:07:58 2016 +0000
summary:     Bug 1236564 - Fix various minor issues with getting/setting GC parameters r=terrence

Jon, is bug 1236564 a likely regressor?
Blocks: 1236564
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 2

2 years ago
I can't immediately reproduce this, but I think the best thing to do is enforce some limits on these GC parameters.  0x22222222 will never be a useful heap growth factor.
(Assignee)

Comment 3

2 years ago
Created attachment 8733418 [details] [diff] [review]
bug1258407-limit-heap-growth-param

This feels a bit arbitrary, but let's limit the heap growth factor to 100.  That's already too large to be a useful value.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8733418 - Flags: review?(sphink)
Comment on attachment 8733418 [details] [diff] [review]
bug1258407-limit-heap-growth-param

Review of attachment 8733418 [details] [diff] [review]:
-----------------------------------------------------------------

WFM
Attachment #8733418 - Flags: review?(sphink) → review+

Comment 5

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/af33c9781912

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/af33c9781912
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox48: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.