Closed Bug 1714532 Opened 3 years ago Closed 3 years ago

Assertion failure: isIncremental, at gc/GC.cpp:6976 with OOM

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- wontfix
firefox90 --- fixed
firefox91 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

(Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
79 bytes, text/plain
Details
Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure
48 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review

The following testcase crashes on mozilla-central revision 20210603-3350b68026ed (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

oomTest(function() {
    grayRoot();
    gczeal(8);
    gcslice(new.target);
})

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555574776d9 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#1  0x0000555557479cc3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#2  0x000055555747b03b in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) ()
#3  0x00005555574433b5 in js::gc::GCRuntime::finishGC(JS::GCReason) ()
#4  0x00005555570b90d8 in RunIterativeFailureTest(JSContext*, IterativeFailureTestParams const&, IterativeFailureSimulator&) ()
#5  0x00005555570d2f31 in OOMTest(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555556ba3151 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#7  0x0000555556ba2886 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8  0x0000555556ba3cc1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) ()
#9  0x0000555556b97e9d in Interpret(JSContext*, js::RunState&) ()
#10 0x0000555556b8f931 in js::RunScript(JSContext*, js::RunState&) ()
#11 0x0000555556ba53f6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#12 0x0000555556ba5924 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#13 0x0000555556d5790f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#14 0x0000555556d57b0a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#15 0x0000555556a70a75 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) ()
#16 0x0000555556a70100 in Process(JSContext*, char const*, bool, FileKind) ()
#17 0x0000555556a179ab in Shell(JSContext*, js::cli::OptionParser*) ()
#18 0x0000555556a0f097 in main ()
rax	0x5555557296a8	93824994154152
rbx	0x7fffffffbb50	140737488337744
rcx	0x555558058e28	93825037340200
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbae0	140737488337632
rsp	0x7fffffffb9f0	140737488337392
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x19	25
r13	0x19	25
r14	0x7ffff603b750	140737320826704
r15	0x7ffff603b750	140737320826704
rip	0x5555574776d9 <js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason)+5433>
=> 0x5555574776d9 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5433>:	movl   $0x1b40,0x0
   0x5555574776e4 <_ZN2js2gc9GCRuntime16incrementalSliceERNS_11SliceBudgetERKN7mozilla5MaybeIN2JS9GCOptionsEEENS6_8GCReasonE+5444>:	callq  0x555556a9a9fa <abort>

Very likely some kind of bad interaction between OOM testing and the GC helpers in the JS shell.

Attached file Testcase 

    
    

    
  
Bugmon Analysis:

Verified bug as reproducible on mozilla-central 20210604154219-963df76dc655.

The bug appears to have been introduced in the following build range:




Start: 95ffbba7dc9a727b30684007c2aa62d2d194b254 (20210119165637)

End: 103aa530a6428b10e73fb1c182ce62c417518391 (20210119165822)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=95ffbba7dc9a727b30684007c2aa62d2d194b254&tochange=103aa530a6428b10e73fb1c182ce62c417518391




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Severity: -- → S3
Priority: -- → P1

    
  
Assignee: nobody → sphink
Status: NEW → ASSIGNED

    
    

    
  
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c10a52874ea2
do not yield during an incremental GC that was turned nonincremental by gray root buffering failure r=jonco

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c10a52874ea2


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox91:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch

    
    

    
  
Bugmon Analysis:

Verified bug as fixed on rev mozilla-central 20210610034606-52f82029a1e5.

Removing bugmon keyword as no further action possible.

Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox91:
          fixedverified
Keywords: bugmon

    
    

    
  
:sfink, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?

For more information, please visit auto_nag documentation.


Flags: needinfo?(sphink)

    
    

    
  
It turns out that my patch is directly reverting a change from bug 1686774.


Flags: needinfo?(sphink)
Regressed by: 1686774

    
  
Has Regression Range: --- → yes

    
    

    
  
The patch landed in nightly and beta is affected.

:sfink, is this bug important enough to require an uplift?

If not please set status_beta to wontfix.


For more information, please visit auto_nag documentation.


Flags: needinfo?(sphink)

    
    

    
  
Comment on attachment 9226167 [details]

Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure


Beta/Release Uplift Approval Request


    

  • User impact if declined: Assertion in tests, some slightly weird (potentially crashy) behavior near OOM.
    • 

  • Is this code covered by automated tests?: Yes
    • 

  • Has the fix been verified in Nightly?: Yes
    • 

  • Needs manual test from QE?: No
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): The patch reverts an unintended change, and just adds another case that falls back to a safe path.
    • 

  • String changes made/needed: none
    • 



Flags: needinfo?(sphink)

        Attachment #9226167 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 9226167 [details]

Bug 1714532 - do not yield during an incremental GC that was turned nonincremental by gray root buffering failure


approved for 90.0b9



        Attachment #9226167 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: