Closed Bug 1274065 Opened 4 years ago Closed 4 years ago

Assertion failure: !runtimeFromMainThread()->isHeapBusy(), at js/src/gc/Zone.h:166


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox49 --- fixed


(Reporter: gkw, Assigned: jonco)


(Blocks 2 open bugs)


(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])


(3 files)

The following testcase crashes on mozilla-central revision f3f2fa1d7eed (build with --32 --enable-debug, run with --fuzzing-safe --ion-instruction-reordering=on --gc-zeal=12 --no-threads --no-fpu --thread-count=16 --ion-eager --ion-gvn=off --ion-regalloc=testbed -e maxRunTime=12000 -f):

See attachment.


#0  JS::Zone::scheduleGC (this=0xf7159800) at js/src/gc/Zone.h:166
#1  JS::PrepareZoneForGC (zone=0xf7159800) at js/src/jsgc.cpp:7566
#2  0x08510152 in js::gc::GCRuntime::triggerZoneGC (this=0xf712d228, zone=0xf7159800, reason=JS::gcreason::ALLOC_TRIGGER) at js/src/jsgc.cpp:3403
#3  0x0851054c in js::gc::GCRuntime::minorGCImpl (this=0xf712d228, reason=JS::gcreason::API, pretenureGroups=0x0) at js/src/jsgc.cpp:6876
#4  0x08511d90 in js::gc::GCRuntime::minorGC (reason=JS::gcreason::API, this=0xf712d228) at js/src/gc/GCRuntime.h:611
#5  js::gc::GCRuntime::disableGenerationalGC (this=0xf712d228) at js/src/jsgc.cpp:6898
#6  JS::AutoDisableGenerationalGC::AutoDisableGenerationalGC (this=0xf5549c30, rt=0xf712d000) at js/src/jsgc.cpp:7769
#7  0x088c783f in js::VerifyPreTracer::VerifyPreTracer (rt=0xf712d000, this=0xf5549c10) at js/src/gc/Verifier.cpp:104
#8  js_new<js::VerifyPreTracer, JSRuntime*&> () at /home/ubuntu/shell-cache/js-dbg-32-linux-f3f2fa1d7eed/objdir-js/dist/include/js/Utility.h:345
#9  js::gc::GCRuntime::startVerifyPreBarriers (this=0xf712d228) at js/src/gc/Verifier.cpp:189
#10 0x088c7d46 in js::gc::GCRuntime::verifyPreBarriers (this=<optimized out>) at js/src/gc/Verifier.cpp:372
#11 js::gc::VerifyBarriers (rt=<optimized out>, type=js::gc::PreBarrierVerifier) at js/src/gc/Verifier.cpp:379
#12 0x08801792 in VerifyPreBarriers (cx=0xf7173020, argc=0, vp=0xffdb4228) at js/src/builtin/TestingFunctions.cpp:776
#13 0x086adabd in js::CallJSNative (cx=0xf7173020, native=0x8801750 <VerifyPreBarriers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235

For detailed crash information, see attachment.

I don't yet have a good testcase, filing first in case the stack and bisection window helps. Setting s-s because gc seems to be involved.
Attached file Testcase
Whiteboard: [jsbugmon:update] → [jsbugmon:]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Jon Coppeard
date:        Tue May 17 10:20:00 2016 +0100
summary:     Bug 1273180 - Trigger major GC if necessary after minor GC r=terrence

Jon, is bug 1273180 a likely regressor?
Blocks: 1273180
Flags: needinfo?(jcoppeard)
I can't reproduce this, but I think I can see what's going on.

There are two things that can cause a minor GC, and now also trigger a major GC, when we start verifing pre barriers: there's a call to evictNursery() and there's an AutoDisableGenerationalGC that's part of VerifyPreTracer.

For some reason we're triggering a major GC on the second one, and I can only think that it's because background sweeping has lowered the trigger threshold in between the calls.

This attempt at a GC fails because we're now under AutoPrepareForTracing.  If we hadn't already evicted the nursery this would fail every time.

The solution is to create the VerifyPreTracer before AutoPrepareForTracing.  We can also get rid of the unnecessary eviction because this happens anyway.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8754475 - Flags: review?(terrence)
Comment on attachment 8754475 [details] [diff] [review]

Review of attachment 8754475 [details] [diff] [review]:

Attachment #8754475 - Flags: review?(terrence) → review+
(In reply to Jon Coppeard (:jonco) from comment #4)
> I can't reproduce this, but I think I can see what's going on.

This also became way more intermittent for me as I reduced the testcase.
This affects the pre-barrier verifier so is not s-s.
Group: javascript-core-security
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.