1324527 - Assertion failure: canCollect(), at js/src/gc/Zone.h:209 or Assertion failure: !zone->wasGCStarted(), at gc/Allocator.cpp:307

Status: RESOLVED DUPLICATE of bug 1322648

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 863c2b61bd27 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

try {
  gczeal(10, 2)();
} catch (e) {}
if (!(gczeal(2, 10))) {}
var module = "'use asm';";
var script = "(function() {" + module + "})";
offThreadCompileScript(script);
var f = new Function(module);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  js::gc::GCRuntime::refillFreeListOffMainThread (thingKind=js::gc::AllocKind::OBJECT4, cx=0x7ffff69aac00) at js/src/gc/Allocator.cpp:307
#1  js::gc::GCRuntime::refillFreeListFromAnyThread (cx=0x7ffff69aac00, thingKind=js::gc::AllocKind::OBJECT4, thingSize=<optimized out>) at js/src/gc/Allocator.cpp:286
#2  0x0000000000def17e in js::gc::GCRuntime::tryNewTenuredThing<JSObject, (js::AllowGC)0> (cx=cx@entry=0x7ffff69aac00, kind=kind@entry=js::gc::AllocKind::OBJECT4, thingSize=thingSize@entry=64) at js/src/gc/Allocator.cpp:162
#3  0x0000000000def281 in js::gc::GCRuntime::tryNewTenuredObject<(js::AllowGC)0> (cx=cx@entry=0x7ffff69aac00, kind=kind@entry=js::gc::AllocKind::OBJECT4, thingSize=64, nDynamicSlots=<optimized out>) at js/src/gc/Allocator.cpp:115
#4  0x0000000000df4cde in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff69aac00, kind=kind@entry=js::gc::AllocKind::OBJECT4, nDynamicSlots=<optimized out>, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x20070a0 <js::ScriptSourceObject::class_>) at js/src/gc/Allocator.cpp:43
#5  0x0000000000998e27 in JSObject::create (cx=0x7ffff69aac00, kind=js::gc::AllocKind::OBJECT4, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/jsobjinlines.h:378
#6  0x00000000009c2da8 in NewObject (cx=0x7ffff69aac00, group=..., kind=js::gc::AllocKind::OBJECT4, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:650
#7  0x00000000009c34d9 in js::NewObjectWithGivenTaggedProto (cxArg=cxArg@entry=0x7ffff69aac00, clasp=clasp@entry=0x20070a0 <js::ScriptSourceObject::class_>, proto=proto@entry=..., allocKind=js::gc::AllocKind::OBJECT4, newKind=newKind@entry=js::GenericObject, initialShapeFlags=initialShapeFlags@entry=0) at js/src/jsobj.cpp:708
#8  0x0000000000a1657d in js::NewObjectWithGivenTaggedProto (initialShapeFlags=0, newKind=js::GenericObject, proto=..., clasp=0x20070a0 <js::ScriptSourceObject::class_>, cx=0x7ffff69aac00) at js/src/jsobjinlines.h:661
#9  js::NewObjectWithGivenProto (newKind=js::GenericObject, proto=..., clasp=0x20070a0 <js::ScriptSourceObject::class_>, cx=0x7ffff69aac00) at js/src/jsobjinlines.h:696
#10 js::ScriptSourceObject::create (cx=cx@entry=0x7ffff69aac00, source=source@entry=0x7ffff03e1a50) at js/src/jsscript.cpp:1341
#11 0x0000000000af196f in js::frontend::CreateScriptSourceObject (cx=0x7ffff69aac00, options=..., parameterListEnd=...) at js/src/frontend/BytecodeCompiler.cpp:500
#12 0x0000000000af47f9 in BytecodeCompiler::createScriptSource (parameterListEnd=..., this=0x7ffff48fa140) at js/src/frontend/BytecodeCompiler.cpp:171
#13 BytecodeCompiler::createSourceAndParser (this=this@entry=0x7ffff48fa140, parameterListEnd=...) at js/src/frontend/BytecodeCompiler.cpp:239
#14 0x0000000000b14e62 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff48fa140, environment=..., environment@entry=..., sc=sc@entry=0x7ffff48fa0f0) at js/src/frontend/BytecodeCompiler.cpp:313
#15 0x0000000000b15a08 in BytecodeCompiler::compileGlobalScript (scopeKind=<optimized out>, this=0x7ffff48fa140) at js/src/frontend/BytecodeCompiler.cpp:369
#16 js::frontend::CompileGlobalScript (cx=<optimized out>, alloc=..., scopeKind=scopeKind@entry=js::ScopeKind::Global, options=..., srcBuf=..., extraSct=extraSct@entry=0x0, sourceObjectOut=0x7ffff020ce78) at js/src/frontend/BytecodeCompiler.cpp:564
#17 0x0000000000b31c96 in js::ScriptParseTask::parse (this=0x7ffff020cd30) at js/src/vm/HelperThreads.cpp:369
#18 0x0000000000b4cd74 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff6948460, locked=..., stackLimit=stackLimit@entry=140737294606336) at js/src/vm/HelperThreads.cpp:1628
#19 0x0000000000b4f690 in js::HelperThread::threadLoop (this=this@entry=0x7ffff6948460) at js/src/vm/HelperThreads.cpp:1882
#20 0x0000000000b4f785 in js::HelperThread::ThreadMain (arg=0x7ffff6948460) at js/src/vm/HelperThreads.cpp:1409
[...]
rax	0x2030520	33752352
rbx	0x7ffff69aac00	140737330719744
rcx	0x1211aa8	18946728
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff48f9660	140737296438880
rsp	0x7ffff48f9630	140737296438832
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff48fb700	140737296447232
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x6	6
r13	0x6	6
r14	0x40	64
r15	0x0	0
rip	0xdd4a49 <js::gc::GCRuntime::refillFreeListFromAnyThread(js::ExclusiveContext*, js::gc::AllocKind, unsigned long)+441>
=> 0xdd4a49 <js::gc::GCRuntime::refillFreeListFromAnyThread(js::ExclusiveContext*, js::gc::AllocKind, unsigned long)+441>:	movl   $0x0,0x0
   0xdd4a54 <js::gc::GCRuntime::refillFreeListFromAnyThread(js::ExclusiveContext*, js::gc::AllocKind, unsigned long)+452>:	ud2    


Marking s-s because the assertions are about GC.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/40c8129cffbf
user:        Jon Coppeard
date:        Tue Dec 06 17:25:02 2016 -1000
summary:     Bug 1213977 - Don't reset an ongoing incremental GC if AutoKeepAtoms is set r=sfink

This iteration took 253.292 seconds to run.

Comment 2

[Jon Coppeard (:jonco)]

This is the same issue as bug 1322648.

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in 53 in the duplicate bug.