Closed
Bug 1295027
Opened 8 years ago
Closed 8 years ago
Assertion failure: !zone->runtimeFromMainThread()->isHeapMinorCollecting(), at js/src/vm/TypeInference.cpp:4069
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Attachments
(1 file)
|
12.66 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6e191a55c3d2 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
var handler = {};
for (var i = 0; i < 10000000; i++) {
var regex = /undefined/;
regex.__proto__ = new Proxy(function() {}, handler)
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000bae908 in AssertGCStateForSweep (zone=0x7fffee149000) at js/src/vm/TypeInference.cpp:4069
#0 0x0000000000bae908 in AssertGCStateForSweep (zone=0x7fffee149000) at js/src/vm/TypeInference.cpp:4069
#1 js::ObjectGroup::sweep (this=this@entry=0x7fffee3728b0, oom=oom@entry=0x0) at js/src/vm/TypeInference.cpp:4194
#2 0x00000000004e2a76 in js::ObjectGroup::maybeSweep (this=this@entry=0x7fffee3728b0, oom=0x0) at js/src/vm/ObjectGroup-inl.h:26
#3 0x00000000004f5ee1 in js::ObjectGroup::flags (this=0x7fffee3728b0) at js/src/vm/ObjectGroup-inl.h:32
#4 js::ObjectGroup::unknownProperties (this=this@entry=0x7fffee3728b0) at js/src/vm/ObjectGroup-inl.h:67
#5 0x0000000000d07df1 in js::ObjectGroup::canPreTenure (this=0x7fffee3728b0) at js/src/vm/ObjectGroup-inl.h:81
#6 js::Nursery::collect (this=this@entry=0x7ffff69654a0, rt=0x7ffff69651e8, reason=reason@entry=JS::gcreason::FULL_STORE_BUFFER) at js/src/gc/Nursery.cpp:696
#7 0x00000000009060ae in js::gc::GCRuntime::minorGC (this=0x7ffff6965448, reason=JS::gcreason::FULL_STORE_BUFFER, phase=<optimized out>) at js/src/jsgc.cpp:6476
#8 0x0000000000934231 in js::gc::GCRuntime::gcIfRequested (this=this@entry=0x7ffff6965448) at js/src/jsgc.cpp:6518
#9 0x0000000000b0a7a0 in InvokeInterruptCallback (cx=0x7ffff6965000) at js/src/vm/Runtime.cpp:540
#10 0x00007ffff7ff0884 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffee3728b0 140737189980336
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffbd60 140737488338272
rsp 0x7fffffffbcc0 140737488338112
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fdc740 140737353992000
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7fffee149000 140737187713024
r13 0x7fffee3728b0 140737189980336
r14 0x7ffff6965000 140737330434048
r15 0x7fffffffbfe8 140737488338920
rip 0xbae908 <js::ObjectGroup::sweep(js::AutoClearTypeInferenceStateOnOOM*)+1704>
=> 0xbae908 <js::ObjectGroup::sweep(js::AutoClearTypeInferenceStateOnOOM*)+1704>: movl $0x0,0x0
0xbae913 <js::ObjectGroup::sweep(js::AutoClearTypeInferenceStateOnOOM*)+1715>: ud2
Marking s-s because this is a GC-related assert and fuzzblocker because it happens frequently.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c39bb9b5a8c8 user: Jon Coppeard date: Thu Aug 11 10:41:06 2016 +0100 summary: Bug 1293262 - Refactor pretenuring after minor GC and add telemetry r=terrence This iteration took 240.828 seconds to run.
Jon, is bug 1293262 a likely regressor?
Blocks: 1293262
Flags: needinfo?(jcoppeard)
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 3•8 years ago
|
||
Marking object groups for pretenuring while AutoTraceSession is live is not safe because they might require sweeping which asserts that the heap is idle. Here's a patch to factor out nursery collection into two methods with AutoTraceSession only used in the inner method and the pretenuring done in the outer method.
Attachment #8781562 -
Flags: review?(terrence)
|
|
Assignee | |
Comment 4•8 years ago
|
||
There isn't anything bad actually happening here, so clearing s-s.
Group: javascript-core-security
|
||
Comment 5•8 years ago
|
||
There are a few intermittent failures with this assertion. Hopefully this will fix those.
|
||
Updated•8 years ago
|
Attachment #8781562 -
Flags: review?(terrence) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/20e66ea8de8e Only mark objects for pretenuring after end of trace session r=terrence
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/88ba08e09310 Fix spurious rooting hazard r=me
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/20e66ea8de8e https://hg.mozilla.org/mozilla-central/rev/88ba08e09310
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•