Closed Bug 1744979 Opened 2 years ago Closed 2 years ago

Intermittent Assertion failure: freeCount == info.numArenasFree, at z:/task_163896313650971/src/js/src/gc/Heap.cpp:616

Categories

(Core :: JavaScript: GC, defect, P5)

defect

Tracking

()

RESOLVED FIXED
97 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox95 --- unaffected
firefox96 --- unaffected
firefox97 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jonco)

References

(Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Filed by: ctuns [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=360506618&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/duqaWgv9QaisR2twaZWcYg/runs/0/artifacts/public/logs/live_backing.log


[task 2021-12-08T12:30:16.099Z] TEST-PASS | js\src\jit-test\tests\gc\bug-1411302.js | Success (code 0, args "") [0.1 s]
[task 2021-12-08T12:30:16.283Z] Assertion failure: freeCount == info.numArenasFree, at z:/task_163896313650971/src/js/src/gc/Heap.cpp:616
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #01: js::gc::TenuredChunk::verify (z:\task_163896313650971\src\js\src\gc\Heap.cpp:616)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #02: js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking (z:\task_163896313650971\src\js\src\gc\GC.cpp:1790)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #03: js::gc::GCRuntime::decommitFreeArenas (z:\task_163896313650971\src\js\src\gc\GC.cpp:1775)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #04: js::gc::BackgroundDecommitTask::run (z:\task_163896313650971\src\js\src\gc\GC.cpp:1713)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #05: js::GCParallelTask::runTask (z:\task_163896313650971\src\js\src\gc\GCParallelTask.cpp:176)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #06: js::GCParallelTask::runHelperThreadTask (z:\task_163896313650971\src\js\src\gc\GCParallelTask.cpp:164)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #07: js::GlobalHelperThreadState::runTaskLocked (z:\task_163896313650971\src\js\src\vm\HelperThreads.cpp:2377)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #08: js::GlobalHelperThreadState::runOneTask (z:\task_163896313650971\src\js\src\vm\HelperThreads.cpp:2344)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.283Z] #09: js::HelperThread::threadLoop (z:\task_163896313650971\src\js\src\vm\InternalThreadPool.cpp:271)
[task 2021-12-08T12:30:16.283Z] 
[task 2021-12-08T12:30:16.287Z] #10: js::HelperThread::ThreadMain (z:\task_163896313650971\src\js\src\vm\InternalThreadPool.cpp:215)
[task 2021-12-08T12:30:16.287Z] 
[task 2021-12-08T12:30:16.287Z] #11: js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool *, js::HelperThread *),js::InternalThreadPool *&,js::HelperThread *>::Start (z:\task_163896313650971\src\js\src\threading\Thread.h:210)
[task 2021-12-08T12:30:16.287Z] 
[task 2021-12-08T12:30:16.287Z] #12: crt_at_quick_exit[C:\Windows\SYSTEM32\ucrtbase.DLL +0x6be1d]
[task 2021-12-08T12:30:16.287Z] 
[task 2021-12-08T12:30:16.287Z] #13: BaseThreadInitThunk[C:\Windows\system32\KERNEL32.DLL +0x13d2]
[task 2021-12-08T12:30:16.287Z] 
[task 2021-12-08T12:30:16.287Z] #14: RtlUserThreadStart[C:\Windows\SYSTEM32\ntdll.dll +0x154e4]
[task 2021-12-08T12:30:16.287Z] 
[task 2021-12-08T12:30:16.287Z] Exit code: 2147483651
[task 2021-12-08T12:30:16.287Z] FAIL - gc\bug-1411302.js
[task 2021-12-08T12:30:16.287Z] TEST-UNEXPECTED-FAIL | js\src\jit-test\tests\gc\bug-1411302.js | Assertion failure: freeCount == info.numArenasFree, at z:/task_163896313650971/src/js/src/gc/Heap.cpp:616 (code 2147483651, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.2 s]
[task 2021-12-08T12:30:16.287Z] INFO exit-status     : 2147483651
[task 2021-12-08T12:30:16.287Z] INFO timed-out       : False
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> Assertion failure: freeCount == info.numArenasFree, at z:/task_163896313650971/src/js/src/gc/Heap.cpp:616
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #01: js::gc::TenuredChunk::verify (z:\task_163896313650971\src\js\src\gc\Heap.cpp:616)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #02: js::gc::GCRuntime::decommitFreeArenasWithoutUnlocking (z:\task_163896313650971\src\js\src\gc\GC.cpp:1790)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #03: js::gc::GCRuntime::decommitFreeArenas (z:\task_163896313650971\src\js\src\gc\GC.cpp:1775)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #04: js::gc::BackgroundDecommitTask::run (z:\task_163896313650971\src\js\src\gc\GC.cpp:1713)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #05: js::GCParallelTask::runTask (z:\task_163896313650971\src\js\src\gc\GCParallelTask.cpp:176)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #06: js::GCParallelTask::runHelperThreadTask (z:\task_163896313650971\src\js\src\gc\GCParallelTask.cpp:164)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #07: js::GlobalHelperThreadState::runTaskLocked (z:\task_163896313650971\src\js\src\vm\HelperThreads.cpp:2377)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #08: js::GlobalHelperThreadState::runOneTask (z:\task_163896313650971\src\js\src\vm\HelperThreads.cpp:2344)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #09: js::HelperThread::threadLoop (z:\task_163896313650971\src\js\src\vm\InternalThreadPool.cpp:271)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #10: js::HelperThread::ThreadMain (z:\task_163896313650971\src\js\src\vm\InternalThreadPool.cpp:215)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #11: js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool *, js::HelperThread *),js::InternalThreadPool *&,js::HelperThread *>::Start (z:\task_163896313650971\src\js\src\threading\Thread.h:210)
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #12: crt_at_quick_exit[C:\Windows\SYSTEM32\ucrtbase.DLL +0x6be1d]
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #13: BaseThreadInitThunk[C:\Windows\system32\KERNEL32.DLL +0x13d2]
[task 2021-12-08T12:30:16.287Z] INFO stderr         2> #14: RtlUserThreadStart[C:\Windows\SYSTEM32\ntdll.dll +0x154e4]
[task 2021-12-08T12:30:16.409Z] TEST-PASS | js\src\jit-test\tests\gc\bug-1411302.js | Success (code 0, args "--baseline-eager") [0.1 s]
Assignee: nobody → jcoppeard
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0fda7a409875
Update chunk metadata correctly when decommitting empty chunks in response to out of memory r=sfink
Group: javascript-core-security
Regressed by: 1744286
Has Regression Range: --- → yes
Keywords: regression

Set release status flags based on info from the regressing bug 1744286

It doesn't really matter because this is Nightly-only and a fix has already been landed, but what are the security consequences for this bug? Thanks.

Flags: needinfo?(jcoppeard)

Update chunk metadata correctly when decommitting empty chunks in response to out of memory r=sfink
https://hg.mozilla.org/integration/autoland/rev/0fda7a409875acf5bdef9a15a0fe95ccd4f45882
https://hg.mozilla.org/mozilla-central/rev/0fda7a409875

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

(In reply to Andrew McCreight [:mccr8] from comment #6)
The problem is that the metadata about which pages have been soft decommitted is not updated correctly, but I'm not sure this has any adverse consequences. I set the flag to be cautions and because bug 1745145 had observed other crashes that this assertion failure.

Flags: needinfo?(jcoppeard)

Ok, thanks. I guess I'll mark this sec-audit.

Keywords: sec-audit
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: