Closed Bug 1828029 Opened 2 years ago Closed 2 years ago

Gecko Assertion failure: retainedBytes_ >= nbytes, at /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:770

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1827072

People

(Reporter: phambao1340, Unassigned, NeedInfo)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

RUn following javascript code

function f1() {
        return 0;
}
f1.tenured = f1;
f1.capacity = 1000000000;
this.newString(0, f1);

Gecko fail at

Assertion failure: retainedBytes_ >= nbytes, at /builds/worker/checkouts/gecko/js/src/gc/Scheduling.h:770
#01: ???[/media/zx/data/buildfetch/1403 +0x1627c4d]
#02: ???[/media/zx/data/buildfetch/1403 +0x21309c1]
#03: ???[/media/zx/data/buildfetch/1403 +0x21346df]
#04: ???[/media/zx/data/buildfetch/1403 +0x2106fea]
#05: ???[/media/zx/data/buildfetch/1403 +0x21059c8]
#06: ???[/media/zx/data/buildfetch/1403 +0x2107a4b]
#07: ???[/media/zx/data/buildfetch/1403 +0x2108365]
#08: ???[/media/zx/data/buildfetch/1403 +0x2094748]
#09: ???[/media/zx/data/buildfetch/1403 +0x2094083]
#10: ???[/media/zx/data/buildfetch/1403 +0x2093dd5]
#11: ???[/media/zx/data/buildfetch/1403 +0x2108219]
#12: ???[/media/zx/data/buildfetch/1403 +0x2113669]
#13: ???[/media/zx/data/buildfetch/1403 +0x213dc21]
#14: ???[/media/zx/data/buildfetch/1403 +0x213605f]
#15: ???[/media/zx/data/buildfetch/1403 +0x21171e0]
#16: ???[/media/zx/data/buildfetch/1403 +0x206b277]
#17: ???[/media/zx/data/buildfetch/1403 +0x206e548]
#18: ???[/media/zx/data/buildfetch/1403 +0x206f6f4]
#19: ???[/media/zx/data/buildfetch/1403 +0x203b5da]
#20: ???[/media/zx/data/buildfetch/1403 +0x1af6095]
#21: ???[/media/zx/data/buildfetch/1403 +0x19a56f5]
#22: ???[/media/zx/data/buildfetch/1403 +0x1617704]
#23: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x29d90]
#24: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x29e40]
#25: ???[/media/zx/data/buildfetch/1403 +0x160ac59]
#26: ??? (???:???)

Thread 1 "1403" received signal SIGSEGV, Segmentation fault.
0x0000555556b7bc5e in js::ZoneAllocator::removeCellMemory(js::gc::Cell*, unsigned long, js::MemoryUse, bool) ()
(gdb) bt
#0  0x0000555556b7bc5e in js::ZoneAllocator::removeCellMemory(js::gc::Cell*, unsigned long, js::MemoryUse, bool) ()
#1  0x00005555576849c1 in JSLinearString::finalize(JS::GCContext*) ()
#2  0x00005555576886df in unsigned long js::gc::Arena::finalize<JSString>(JS::GCContext*, js::gc::AllocKind, unsigned long)
    ()
#3  0x000055555765afea in FinalizeArenas(JS::GCContext*, js::gc::ArenaList&, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&) ()
#4  0x00005555576599c8 in js::gc::GCRuntime::backgroundFinalize(JS::GCContext*, JS::Zone*, js::gc::AllocKind, js::gc::Arena**) ()
#5  0x000055555765ba4b in js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&) ()
#6  0x000055555765c365 in js::gc::GCRuntime::sweepFromBackgroundThread(js::AutoLockHelperThreadState&) ()
#7  0x00005555575e8748 in js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&) ()
#8  0x00005555575e8083 in js::GCParallelTask::runFromMainThread(js::AutoLockHelperThreadState&) ()
#9  0x00005555575e7dd5 in js::GCParallelTask::runFromMainThread() ()
#10 0x000055555765c219 in js::gc::GCRuntime::queueZonesAndStartBackgroundSweep(js::gc::ZoneList&&) ()
#11 0x0000555557667669 in js::gc::GCRuntime::endSweepingSweepGroup(JS::GCContext*, js::SliceBudget&) ()
#12 0x0000555557691c21 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#13 0x000055555768a05f in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#14 0x000055555766b1e0 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#15 0x00005555575bf277 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#16 0x00005555575c2548 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#17 0x00005555575c36f4 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#18 0x000055555758f5da in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#19 0x000055555704a095 in JSRuntime::destroyRuntime() ()
#20 0x0000555556ef96f5 in js::DestroyContext(JSContext*) ()
#21 0x0000555556b6b704 in main ()
Flags: sec-bounty?
Group: firefox-core-security → javascript-core-security
Component: Security → JavaScript: GC
Product: Firefox → Core

Please symbolicate your stacks. Stacks like these are not useful and make triaging your bug reports harder.

Is this a duplicate of bug 1827072 or a different issue?

Flags: needinfo?(sphink)

zx: is this crash solved for you on nightly now, or do you still see it? (builds starting April 17)

Flags: needinfo?(phambao1340)

It solved on HEAD now.

Flags: needinfo?(phambao1340)
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1827072
Resolution: --- → DUPLICATE

newString() turns out to be an internal test-only function in our jsshell.

Group: javascript-core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.