Closed Bug 1539019 Opened 9 months ago Closed 6 months ago

Assertion failure: false (owner_.compareExchange(nullptr, this)), at dist/include/js/Utility.h:317 with oomAtAllocation

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed
firefox69 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 55261bc2e465 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

for(let i = 0; i < 4; i++) {
    oomAtAllocation(11, 11);
    evalInWorker("");
}

Backtrace:

#0 js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0x7fab25dfdf48) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-55261bc2e465/objdir-js/dist/include/js/Utility.h:317
#1 0x0000557355d77157 in JS::Zone::getUniqueIdInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:102
#2 JS::Zone::getHashCodeInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:97
#3 0x00005573559e5abd in js::MovableCellHasher<js::TaggedProto>::hash (l=...) at js/src/vm/TaggedProto.h:82
#4 js::InitialShapeEntry::hash (lookup=...) at js/src/vm/Shape.h:1547
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e3c821833a14
user: Jon Coppeard
date: Tue Oct 10 12:07:08 2017 +0100
summary: Bug 1406455 - Disallow OOM simulation on worker threads r=jandem

Jon, is bug 1406455 a likely regressor?

Blocks: 1406455
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Gary, given comment 3, should we continue investigation here?

Flags: needinfo?(nth10sd)

(In reply to Andrew Overholt [:overholt] from comment #4)

Gary, given comment 3, should we continue investigation here?

I can still reproduce it on m-c rev 6188f3497057 (tip as of writing). I think due to oomAtAllocation the testcase may be intermittently flaky, but it seems fairly reliable most of the time.

Flags: needinfo?(nth10sd)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:]

Based on comment 2 this is not new in 68, so removing from regression triage.

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1bac1d67c9ad
Disallow simulated OOM testing of worker threads because it's not thread safe r=jandem?
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee: nobody → jcoppeard
No longer blocks: 1406455
Flags: needinfo?(jcoppeard) → in-testsuite+
Regressed by: 1406455
Whiteboard: [jsbugmon:] → [jsbugmon:][checkin-needed-beta]
Whiteboard: [jsbugmon:][checkin-needed-beta] → [jsbugmon:]
You need to log in before you can comment on or make changes to this bug.