Closed Bug 1273355 Opened 8 years ago Closed 8 years ago

Assertion failure: rt->gc.nursery.isEmpty(), at js/src/gc/Zone.cpp:226

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1264300
Tracking Flags:
Tracking Status
firefox49 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Detailed Crash Information
34.54 KB, text/plain
Details
Testcase
4.08 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev d0be57e84807
7.11 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision d0be57e84807 (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads --baseline-eager --no-ion):

See attachment.

Backtrace:
0   js-dbg-32-dm-clang-darwin-d0be57e84807	0x00c408ef JS::Zone::discardJitCode(js::FreeOp*) + 1055 (Zone.cpp:226)
1   js-dbg-32-dm-clang-darwin-d0be57e84807	0x00ac5352 js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM() + 66 (TypeInference.cpp:4442)
2   js-dbg-32-dm-clang-darwin-d0be57e84807	0x005be2a4 js::jit::DoTypeMonitorFallback(JSContext*, void*, js::jit::ICTypeMonitor_Fallback*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 1268 (jsgc.h:1286)
3   ???                           	0x021c82ba 0 + 35422906
4   ???                           	0x021c7c5c 0 + 35421276
5   js-dbg-32-dm-clang-darwin-d0be57e84807	0x0032bb26 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 662 (BaselineJIT.cpp:152)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/80d226fddf93
user:        Jon Coppeard
date:        Thu May 12 10:00:43 2016 +0100
summary:     Bug 1271110 - Evict the nursery when discarding JIT code outside of a GC r=sfink a=abillings

Jon, is bug 1271110 a likely regressor?
Blocks: 1271110
Flags: needinfo?(jcoppeard)
I've already spent too much time (more than a few hours) reducing the testcase, please feel free to take it from here.
Full configuration command with needed environment variables is:
LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --32" -r d0be57e84807
So this seems to be another can of worms.

The problem is that lazy sweeping of type inference data is often done with one or more instances of AutoEnterAnalysis on the stack.  This contains both an AutoSuppressGC and an AutoClearTypeInferenceStateOnOOM.

Further, sweeping can happen when compiling baseline IC stubs, where GC is also suppressed.
This will be fixed by the patches in bug 1264300, which will mean that discarding JIT code doesn't require the minor GC that is getting supressed in this case.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: