Closed
Bug 1258407
Opened 8 years ago
Closed 8 years ago
Assertion failure: amount > 0, at js/src/jsgc.cpp:1922
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
3.07 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f14898695ee0 (build with --32 --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1254108.js gcparam("lowFrequencyHeapGrowth", 0x22222222); Backtrace: #0 js::gc::ZoneHeapThreshold::updateForRemovedArena (this=0xf715ac20, tunables=...) at js/src/jsgc.cpp:1922 #1 0x08534e59 in js::gc::GCRuntime::releaseArena (this=0xf7129250, arena=0xf3648000, lock=...) at js/src/jsgc.cpp:1101 #2 0x08559776 in ReleaseArenaList (lock=..., arena=<optimized out>, rt=0xf7129000) at js/src/jsgc.cpp:2863 #3 js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0xf7129250, zones=..., threadType=threadType@entry=js::BackgroundThread, freeBlocks=...) at js/src/jsgc.cpp:3416 #4 0x085599d6 in js::gc::GCRuntime::sweepBackgroundThings (threadType=js::BackgroundThread, freeBlocks=..., zones=..., this=<optimized out>) at js/src/jsgc.cpp:3657 #5 js::GCHelperState::doSweep (this=0xf712b4bc, lock=...) at js/src/jsgc.cpp:3657 #6 0x08559b9a in js::GCHelperState::work (this=0xf712b4bc) at js/src/jsgc.cpp:3540 #7 0x086d6fd6 in js::HelperThread::handleGCHelperWorkload (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1671 #8 0x086dcda9 in js::HelperThread::threadLoop (this=0xf711ed9c) at js/src/vm/HelperThreads.cpp:1735 #9 0x08707029 in nspr::Thread::ThreadRoutine (arg=0xf7107220) at js/src/vm/PosixNSPR.cpp:45 #10 0xf775817f in start_thread (arg=0xf5569b40) at pthread_create.c:333 #11 0xf7499f8e in clone () from /lib32/libc.so.6
Reporter | ||
Comment 1•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/794a18afbb25 user: Jon Coppeard date: Tue Jan 05 15:07:58 2016 +0000 summary: Bug 1236564 - Fix various minor issues with getting/setting GC parameters r=terrence Jon, is bug 1236564 a likely regressor?
Blocks: 1236564
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 2•8 years ago
|
||
I can't immediately reproduce this, but I think the best thing to do is enforce some limits on these GC parameters. 0x22222222 will never be a useful heap growth factor.
Assignee | ||
Comment 3•8 years ago
|
||
This feels a bit arbitrary, but let's limit the heap growth factor to 100. That's already too large to be a useful value.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8733418 -
Flags: review?(sphink)
Comment 4•8 years ago
|
||
Comment on attachment 8733418 [details] [diff] [review] bug1258407-limit-heap-growth-param Review of attachment 8733418 [details] [diff] [review]: ----------------------------------------------------------------- WFM
Attachment #8733418 -
Flags: review?(sphink) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/af33c9781912
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•