Closed Bug 1547179 Opened 5 years ago Closed 5 years ago

Assertion failure: collectCoverage(), at js/src/vm/Realm.cpp:341

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Attachments

(2 files)

Detailed Crash Information
10.04 KB, text/plain
Details
Bug 1547179 - Remove an assertion that's no longer valid because rt->profilingScripts no longer implies IsLCovEnabled. r?nbp!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 7e40e33da3da (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager --ion-pgo=off --gc-zeal=2 --dump-bytecode):

quit();

Backtrace:

#0 JS::Realm::traceRoots (this=0x7f0ae0553800, trc=0x7f0ae051c6d0, traceOrMark=<optimized out>) at js/src/vm/Realm.cpp:341
#1 0x0000557d5a590e9d in js::gc::GCRuntime::traceRuntimeCommon (this=<optimized out>, trc=0x7f0ae051c6d0, traceOrMark=js::gc::GCRuntime::MarkRuntime) at js/src/gc/RootMarking.cpp:383
#2 0x0000557d5a5906c2 in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0x7f0ae051b6d8, trc=0x7f0ae051c6d0, session=...) at js/src/gc/RootMarking.cpp:285
#3 0x0000557d5a4f3c54 in js::gc::GCRuntime::beginMarkPhase (this=0x7f0ae051b6d8, reason=<optimized out>, session=...) at js/src/gc/GC.cpp:4407
#4 0x0000557d5a504f3d in js::gc::GCRuntime::incrementalSlice (this=0x7f0ae051b6d8, budget=..., reason=JS::GCReason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7024
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/24740ab9a726
user: Jan de Mooij
date: Thu Apr 25 13:35:55 2019 +0000
summary: Bug 1546934 - Change LCov code coverage machinery to use a process-wide flag. r=nbp

Jan, is bug 1546934 a likely regressor?

Flags: needinfo?(jdemooij)
Regressed by: 1546934
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Priority: -- → P1

Great test case :)

Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dcdecf563747 Remove an assertion that's no longer valid because rt->profilingScripts no longer implies IsLCovEnabled. r=nbp
Pushed by malexandru@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/dcdecf563747 Remove an assertion that's no longer valid because rt->profilingScripts no longer implies IsLCovEnabled. r=nbp

https://hg.mozilla.org/mozilla-central/rev/dcdecf563747

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: