1301608 - Assertion failure: (l.asBits >> 47) <= JSVAL_TAG_OBJECT, at /Users/skywalker/shell-cache/js-dbg-64-dm-clang-darwin-176aff980979/objdir-js/dist/include/js/Value.h:807

Status: RESOLVED DUPLICATE of bug 1293311

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 176aff980979 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads):

function h(f) {
    for (var j = 0; j < 7500; ++j) {
        try {
            f();
        } catch (e) {}
    }
}
(function() {
    oomTest(Number.prototype.toPrecision.bind(-this.__defineSetter__("x", arguments.callee)));
    g = function() {
        new Uint8Array
        function f() {}
        return f
    }()
    h(g, [, , , , , , , 0, , , , , , 0, 0, 0, , , , , 0, , ]);
    h(function() {
        x = /y/;
    });
})();


Backtrace:

0   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fd9ea2 decltype(fp(static_cast<JSObject*>(std::nullptr_t)mozilla::Forward<js::TenuringTracer*>(fp1))) js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*>(js::TenuringTraversalFunctor<JS::Value>, JS::Value const&, js::TenuringTracer*&&) + 434 (Value.h:807)
1   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fca4f8 void DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) + 72 (Marking.cpp:2241)
2   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fca8e6 void js::TraceRootRange<JS::Value>(JSTracer*, unsigned long, JS::Value*, char const*) + 310 (IntegerRange.h:77)
3   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fc2bbb js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime, js::AutoLockForExclusiveAccess&) + 123 (RootMarking.cpp:226)
4   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fbfa42 js::Nursery::doCollection(JSRuntime*, JS::gcreason::Reason, js::gc::TenureCountCache&) + 1090 (RootMarking.cpp:304)
5   js-dbg-64-dm-clang-darwin-176aff980979	0x0000000109fbefc5 js::Nursery::collect(JSRuntime*, JS::gcreason::Reason) + 373 (Nursery.cpp:574)
/snip

For detailed crash information, see attachment.

Setting s-s as a start because GC is on the stack, even though it seems to involve oomTest.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

thread 8
  allocation 1
  finished after 0 allocations
thread 1
  allocation 1
ReportOutOfMemory called
Assertion failure: (l.asBits >> 47) <= JSVAL_TAG_OBJECT, at /Users/skywalker/shell-cache/js-dbg-64-dm-clang-oombp-darwin-176aff980979/objdir-js/dist/include/js/Value.h:807
Process 22846 stopped
* thread #1: </snip>

I am unable to get an OOM_VERBOSE=1 stack because I do not know how many allocations have passed before the assertion is hit.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160907034116" and the hash "f590934ef71f3fb00a7339c992677eda891d3705".
The "bad" changeset has the timestamp "20160907035016" and the hash "b48c0088fad27760cbae9733af3d6e3e0afad5df".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f590934ef71f3fb00a7339c992677eda891d3705&tochange=b48c0088fad27760cbae9733af3d6e3e0afad5df

Jan, is bug 1296015 a likely regressor?

Comment 4

[Jan de Mooij [:jandem]]

I'm looking into this now. Stack corruption, a bit of a pain to track down.

Comment 5

[Jan de Mooij [:jandem]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> Jan, is bug 1296015 a likely regressor?

I can reproduce a similar memory corruption crash @ the parent revision. Still digging.

Comment 6

[Jan de Mooij [:jandem]]

Duplicate of bug 1293311. That's what I get for not landing patches immediately :/