Assertion failure: isIncremental, at gc/GC.cpp:6976 with OOM
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox89 | --- | wontfix |
firefox90 | --- | fixed |
firefox91 | --- | verified |
People
(Reporter: decoder, Assigned: sfink)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
79 bytes,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20210603-3350b68026ed (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
oomTest(function() {
grayRoot();
gczeal(8);
gcslice(new.target);
})
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x00005555574776d9 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#1 0x0000555557479cc3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#2 0x000055555747b03b in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#3 0x00005555574433b5 in js::gc::GCRuntime::finishGC(JS::GCReason) ()
#4 0x00005555570b90d8 in RunIterativeFailureTest(JSContext*, IterativeFailureTestParams const&, IterativeFailureSimulator&) ()
#5 0x00005555570d2f31 in OOMTest(JSContext*, unsigned int, JS::Value*) ()
#6 0x0000555556ba3151 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7 0x0000555556ba2886 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8 0x0000555556ba3cc1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#9 0x0000555556b97e9d in Interpret(JSContext*, js::RunState&) ()
#10 0x0000555556b8f931 in js::RunScript(JSContext*, js::RunState&) ()
#11 0x0000555556ba53f6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556ba5924 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556d5790f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#14 0x0000555556d57b0a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#15 0x0000555556a70a75 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#16 0x0000555556a70100 in Process(JSContext*, char const*, bool, FileKind) ()
#17 0x0000555556a179ab in Shell(JSContext*, js::cli::OptionParser*) ()
#18 0x0000555556a0f097 in main ()
rax 0x5555557296a8 93824994154152
rbx 0x7fffffffbb50 140737488337744
rcx 0x555558058e28 93825037340200
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbae0 140737488337632
rsp 0x7fffffffb9f0 140737488337392
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x19 25
r13 0x19 25
r14 0x7ffff603b750 140737320826704
r15 0x7ffff603b750 140737320826704
rip 0x5555574776d9 <js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason)+5433>
=> 0x5555574776d9 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5433>: movl $0x1b40,0x0
0x5555574776e4 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5444>: callq 0x555556a9a9fa <abort>
Very likely some kind of bad interaction between OOM testing and the GC helpers in the JS shell.
Reporter | ||
Comment 1•3 years ago
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210604154219-963df76dc655.
The bug appears to have been introduced in the following build range:
Start: 95ffbba7dc9a727b30684007c2aa62d2d194b254 (20210119165637)
End: 103aa530a6428b10e73fb1c182ce62c417518391 (20210119165822)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=95ffbba7dc9a727b30684007c2aa62d2d194b254&tochange=103aa530a6428b10e73fb1c182ce62c417518391
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c10a52874ea2 do not yield during an incremental GC that was turned nonincremental by gray root buffering failure r=jonco
Comment 5•3 years ago
|
||
bugherder |
Comment 6•3 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210610034606-52f82029a1e5.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Comment 7•3 years ago
|
||
:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 8•3 years ago
|
||
It turns out that my patch is directly reverting a change from bug 1686774.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 9•3 years ago
|
||
The patch landed in nightly and beta is affected.
:sfink, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 10•3 years ago
|
||
Comment on attachment 9226167 [details]
Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure
Beta/Release Uplift Approval Request
- User impact if declined: Assertion in tests, some slightly weird (potentially crashy) behavior near OOM.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch reverts an unintended change, and just adds another case that falls back to a safe path.
- String changes made/needed: none
Comment 11•3 years ago
|
||
Comment on attachment 9226167 [details]
Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure
approved for 90.0b9
Comment 12•3 years ago
|
||
bugherder uplift |
Description
•