Closed
Bug 1412285
Opened 7 years ago
Closed 7 years ago
Assertion failure: oom::maxAllocations == (18446744073709551615UL), at dist/include/js/Utility.h:335
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1411302
Tracking | Status | |
---|---|---|
firefox58 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update,ignore])
Attachments
(1 file)
58.21 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision d734e6acf777 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --baseline-eager --ion-offthread-compile=off --ion-eager): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x0000000000475cd8 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/js/Utility.h:335 #1 0x0000000000e4cdec in mozilla::DebugOnly<js::AutoEnterOOMUnsafeRegion>::~DebugOnly (this=0x7ffff49fe590, __in_chrg=<optimized out>) at dist/include/mozilla/DebugOnly.h:87 #2 js::Nursery::doCollection (this=this@entry=0x7ffff4d2ad78, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, tenureCounts=...) at js/src/gc/Nursery.cpp:710 #3 0x0000000000e4fb35 in js::Nursery::collect (this=0x7ffff4d2ad78, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:619 #4 0x00000000009db667 in js::gc::GCRuntime::minorGC (this=0x7ffff4d28748, reason=JS::gcreason::DESTROY_RUNTIME, phase=<optimized out>) at js/src/jsgc.cpp:7676 #5 0x0000000000a0a011 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff4d28748, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7258 #6 0x0000000000a0a862 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff4d28748, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7450 #7 0x0000000000a0ab59 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff4d28748, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7517 #8 0x0000000000c0f585 in JSRuntime::destroyRuntime (this=0x7ffff4d28000) at js/src/vm/Runtime.cpp:320 #9 0x00000000009a3eb9 in js::DestroyContext (cx=0x7ffff4d30000) at js/src/jscntxt.cpp:254 #10 0x000000000046dfa0 in <lambda()>::operator() (__closure=0x7ffff49fed90) at js/src/shell/js.cpp:3551 #11 WorkerMain (arg=<optimized out>) at dist/include/mozilla/ScopeExit.h:112 #12 0x00000000004750d2 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff691e220) at js/src/threading/Thread.h:239 #13 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff691e220) at js/src/threading/Thread.h:232 #14 0x00007ffff7bc16fa in start_thread (arg=0x7ffff49ff700) at pthread_create.c:333 #15 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff4d2ad78 140737300835704 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7ffff49fe520 140737297507616 rsp 0x7ffff49fe510 140737297507600 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff49ff700 140737297512192 r10 0x0 0 r11 0x0 0 r12 0x7ffff4d28000 140737300824064 r13 0x7ffff4d28000 140737300824064 r14 0x7ffff4d287d8 140737300826072 r15 0x7ffff4d30000 140737300856832 rip 0x475cd8 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+216> => 0x475cd8 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+216>: movl $0x0,0x0 0x475ce3 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+227>: ud2 This bug has been a huge problem for quite a while now, I just wasn't able to isolate a test for it. When running the test, you can randomly get all sorts of assertions, I'm primarily interested in fixing the one in the subject of this bug.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
NI from jandem to get this fuzzblocker fixed.
Flags: needinfo?(jdemooij)
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 3•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ac88bbf2856d user: André Bargull date: Wed Oct 11 05:36:38 2017 -0700 summary: Bug 1407584 - Part 2: Update test262 files. rs=Waldo This iteration took 272.918 seconds to run.
Updated•7 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
Comment 4•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ae49d4a57622).
Updated•7 years ago
|
Priority: -- → P1
Comment 5•7 years ago
|
||
decoder, are you still seeing that, now that the compareExchange bug is fixed?
Flags: needinfo?(jdemooij) → needinfo?(choller)
Comment 6•7 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #5) > decoder, are you still seeing that, Er, seeing *this*.
Reporter | ||
Comment 7•7 years ago
|
||
This stopped showing up in fuzzing on Oct 27, so I assume it got fixed by the compareExchange bug. Thanks!
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•