Closed Bug 1714532 Opened 2 months ago Closed 2 months ago

Assertion failure: isIncremental, at gc/GC.cpp:6976 with OOM


(Core :: JavaScript: GC, defect, P1)




91 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- wontfix
firefox90 --- fixed
firefox91 --- verified


(Reporter: decoder, Assigned: sfink)




(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])


(2 files)

The following testcase crashes on mozilla-central revision 20210603-3350b68026ed (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

oomTest(function() {


received signal SIGSEGV, Segmentation fault.
#0  0x00005555574776d9 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#1  0x0000555557479cc3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#2  0x000055555747b03b in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#3  0x00005555574433b5 in js::gc::GCRuntime::finishGC(JS::GCReason) ()
#4  0x00005555570b90d8 in RunIterativeFailureTest(JSContext*, IterativeFailureTestParams const&, IterativeFailureSimulator&) ()
#5  0x00005555570d2f31 in OOMTest(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556ba3151 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7  0x0000555556ba2886 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8  0x0000555556ba3cc1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#9  0x0000555556b97e9d in Interpret(JSContext*, js::RunState&) ()
#10 0x0000555556b8f931 in js::RunScript(JSContext*, js::RunState&) ()
#11 0x0000555556ba53f6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556ba5924 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556d5790f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#14 0x0000555556d57b0a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#15 0x0000555556a70a75 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#16 0x0000555556a70100 in Process(JSContext*, char const*, bool, FileKind) ()
#17 0x0000555556a179ab in Shell(JSContext*, js::cli::OptionParser*) ()
#18 0x0000555556a0f097 in main ()
rax	0x5555557296a8	93824994154152
rbx	0x7fffffffbb50	140737488337744
rcx	0x555558058e28	93825037340200
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbae0	140737488337632
rsp	0x7fffffffb9f0	140737488337392
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x19	25
r13	0x19	25
r14	0x7ffff603b750	140737320826704
r15	0x7ffff603b750	140737320826704
rip	0x5555574776d9 <js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason)+5433>
=> 0x5555574776d9 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5433>:	movl   $0x1b40,0x0
   0x5555574776e4 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5444>:	callq  0x555556a9a9fa <abort>

Very likely some kind of bad interaction between OOM testing and the GC helpers in the JS shell.

Attached file Testcase

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210604154219-963df76dc655.
The bug appears to have been introduced in the following build range:

Start: 95ffbba7dc9a727b30684007c2aa62d2d194b254 (20210119165637)
End: 103aa530a6428b10e73fb1c182ce62c417518391 (20210119165822)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Severity: -- → S3
Priority: -- → P1
Assignee: nobody → sphink
Pushed by
do not yield during an incremental GC that was turned nonincremental by gray root buffering failure r=jonco
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210610034606-52f82029a1e5.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(sphink)

It turns out that my patch is directly reverting a change from bug 1686774.

Flags: needinfo?(sphink)
Regressed by: 1686774

The patch landed in nightly and beta is affected.
:sfink, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sphink)

Comment on attachment 9226167 [details]
Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure

Beta/Release Uplift Approval Request

  • User impact if declined: Assertion in tests, some slightly weird (potentially crashy) behavior near OOM.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch reverts an unintended change, and just adds another case that falls back to a safe path.
  • String changes made/needed: none
Flags: needinfo?(sphink)
Attachment #9226167 - Flags: approval-mozilla-beta?

Comment on attachment 9226167 [details]
Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure

approved for 90.0b9

Attachment #9226167 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.