Assertion failure: newMaxNurseryChunks > 0, at js/src/gc/Nursery.cpp:1243

RESOLVED FIXED in Firefox 68

Status

()

defect
P2
critical
RESOLVED FIXED
3 months ago
2 months ago

People

(Reporter: gkw, Assigned: pbone)

Tracking

(Blocks 1 bug, Regression, 4 keywords)

Trunk
mozilla68
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox66 unaffected, firefox67 unaffected, firefox68 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

Reporter

Description

3 months ago

The following testcase crashes on mozilla-central revision 93075ec49df3 (build with --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

gcparam('maxNurseryBytes', 2 ** 32 - 1);

Backtrace:

#0 js::Nursery::maybeResizeExact (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:1243
#1 0x57ed0d37 in js::Nursery::maybeResizeNursery (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:1171
#2 0x57ecd94e in js::Nursery::collect (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:795
#3 0x57e5366e in js::gc::GCRuntime::minorGC (this=0xf6b183e8, reason=JS::GCReason::DESTROY_RUNTIME, phase=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at js/src/gc/GC.cpp:7828
#4 0x57e529e7 in js::gc::GCRuntime::gcCycle (this=0xf6b183e8, nonincrementalByAPI=<optimized out>, budget=..., reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7403
/snip

For detailed crash information, see attachment.

Reporter

Comment 2

3 months ago

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8aaeb14dfc0c
user: Paul Bone
date: Fri Mar 22 05:15:38 2019 +0000
summary: Bug 1531626 - (part 4) Always round-nearest for nursery size r=jonco

Paul, is bug 1531626 a likely regressor?

Flags: needinfo?(pbone)
Regressed by: 1531626
Assignee

Updated

2 months ago
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(pbone)
Priority: -- → P2
Attachment #9056468 - Attachment description: Bug 1542279 - Fix another problem with rounding down to zero r?jonco → Bug 1542279 - Fix a problem with rounding down to zero r?jonco

Comment 5

2 months ago
Pushed by pbone@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/142748fa228e
Guard against overflow when calculating the new max chunks r=jonco
https://hg.mozilla.org/integration/autoland/rev/8e4e52017c5d
Fix a problem with rounding down to zero r=jonco

Comment 6

2 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.