Closed Bug 1652281 Opened 5 years ago Closed 5 years ago

Assertion failure: emptyChunks(lock).count() == 0, at gc/GC.cpp:3279 with --nursery-strings=off

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- unaffected
firefox80 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(3 files)

testcase.js
11.07 KB, text/plain
Details
stack
4.34 KB, text/plain
Details
Bug 1652281 - Remove assertion about empty chunks pool that no longer always holds r?sfink
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.js

The testcase is almost fully-reduced, but is fairly reliable. Tested on m-c rev 576f33282a08, run with --fuzzing-safe --no-threads --no-baseline --no-ion --nursery-strings=off, compiled with GCC 9.3.0

AR=ar sh ./configure --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/77a3b9246b5b
user:        Jon Coppeard
date:        Fri Jul 10 17:02:42 2020 +0000
summary:     Bug 1652019 - Move more of decommit logic off-thread r=sfink

Unsure how bad this is, but setting s-s as it is a GC assert and the assert does not seem to be in #ifdef code.

However, it involves oomTest, and --nursery-strings=off, and requires more-deterministic mode, so maybe not, I'll leave it to the GC gurus.

Flags: sec-bounty?
Flags: needinfo?(sphink)
Flags: needinfo?(jcoppeard)
Attached file stack 
(gdb) bt
#0  js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking (this=0x7ffff6929728, lock=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3279
#1  0x0000555557a3d48f in js::gc::GCRuntime::decommitFreeArenas (this=0x7ffff6929728, cancel=@0x7fffffffa590: false, lock=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3257
#2  0x0000555557a3d0ac in js::gc::BackgroundDecommitTask::run (this=0x7ffff692af58) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3233
#3  0x0000555557a661ec in js::GCParallelTask::runTask (this=0x7ffff692af58) at /home/skygentoo/trees/mozilla-central/js/src/gc/GCParallelTask.cpp:146
#4  0x0000555557a3cc10 in js::GCParallelTask::runFromMainThread (this=0x7ffff692af58) at /home/skygentoo/trees/mozilla-central/js/src/gc/GCParallelTask.cpp:120
#5  js::gc::GCRuntime::startDecommit (this=0x7ffff6929728) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:3220
#6  0x0000555557a58a42 in js::gc::GCRuntime::incrementalSlice (this=0x7ffff6929728, budget=..., gckind=..., reason=<optimized out>, session=...) at /home/skygentoo/trees/mozilla-central/js/src/gc/GC.cpp:6758
OS: Linux → All
Assignee: nobody → jcoppeard
Flags: needinfo?(sphink)
Flags: needinfo?(jcoppeard)

GCRuntime::decommitFreeArenasWithoutUnlocking can now get called in situations when we do have empty chunks, e.g. when handling OOM in GCRuntime::decommitFreeArenas. We can just remove this assertion.

Set release status flags based on info from the regressing bug 1652019

status-firefox78: --- → unaffected
status-firefox79: --- → unaffected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected

https://hg.mozilla.org/integration/autoland/rev/981dac52307ecb57fc43a29bd3c55df97d450fe2
https://hg.mozilla.org/mozilla-central/rev/981dac52307e

Group: core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

Looks like not a security bug.

Group: core-security-release
Flags: sec-bounty? → sec-bounty-
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: