Closed Bug 1872524 Opened 2 years ago Closed 2 years ago

Assertion failure: tunables.smallHeapIncrementalLimit() >= tunables.largeHeapIncrementalLimit(), at gc/Scheduling.cpp:380

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
123 Branch
Tracking Flags:
Tracking Status
firefox123 --- fixed

People

(Reporter: lukas.bernhard, Assigned: jonco)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1872524 - Maintain invariants when updating GC parameters for incremental limit r?sfink
48 bytes, text/x-phabricator-request
Details

Steps to reproduce:

On git commit 6856d0cab9e37dd9eb305f174ff71f0a95b31f82 the attached sample asserts in the js-shell when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js.

const v4 = gcparam("smallHeapIncrementalLimit");
gcparam("largeHeapIncrementalLimit", v4 + 1); 

#0  0x00005555586cb389 in js::gc::HeapThreshold::setIncrementalLimitFromStartBytes (this=0x7ffff66ed048, 
    retainedBytes=0, tunables=...) at js/src/gc/Scheduling.cpp:379
#1  0x00005555586cc326 in js::gc::GCHeapThreshold::updateStartThreshold (this=0x7ffff66ed048, lastBytes=0, 
    allocationRate=..., collectionRate=..., tunables=..., state=..., isAtomsZone=true)
    at js/src/gc/Scheduling.cpp:559
#2  0x0000555558758069 in js::ZoneAllocator::updateGCStartThresholds (this=0x7ffff66ed000, gc=...)
    at js/src/gc/Zone.cpp:67
#3  0x00005555585f77c3 in js::gc::GCRuntime::updateAllGCStartThresholds (this=0x7ffff6623728)
    at js/src/gc/GC.cpp:3334
#4  0x00005555585f73cc in js::gc::GCRuntime::setParameter (this=0x7ffff6623728, 
    key=JSGC_LARGE_HEAP_INCREMENTAL_LIMIT, value=151, lock=...) at js/src/gc/GC.cpp:1059
#5  0x00005555585f6ff6 in js::gc::GCRuntime::setParameter (this=0x7ffff6623728, cx=0x7ffff6634900, 
    key=JSGC_LARGE_HEAP_INCREMENTAL_LIMIT, value=151) at js/src/gc/GC.cpp:1013
#6  0x0000555558032474 in GCParameter (cx=0x7ffff6634900, argc=2, vp=0x7ffff54e7090)
    at js/src/builtin/TestingFunctions.cpp:875
#7  0x000055555797d82c in CallJSNative (cx=0x7ffff6634900, 
    native=0x555558032140 <GCParameter(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:479
#8  0x0000555557954573 in js::InternalCallOrConstruct (cx=0x7ffff6634900, args=..., construct=js::NO_CONSTRUCT, 
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:573
#9  0x0000555557954cf9 in InternalCall (cx=0x7ffff6634900, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:640
#10 0x0000555557954b33 in js::CallFromStack (cx=0x7ffff6634900, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:645
#11 0x000055555796338f in js::Interpret (cx=0x7ffff6634900, state=...)
    at js/src/vm/Interpreter.cpp:3060
#12 0x0000555557953f55 in MaybeEnterInterpreterTrampoline (cx=0x7ffff6634900, state=...)
    at js/src/vm/Interpreter.cpp:393
#13 0x0000555557953c01 in js::RunScript (cx=0x7ffff6634900, state=...)
    at js/src/vm/Interpreter.cpp:451
#14 0x0000555557956141 in js::ExecuteKernel (cx=0x7ffff6634900, script=..., envChainArg=..., evalInFrame=..., 
    result=...) at js/src/vm/Interpreter.cpp:838
#15 0x00005555579564bc in js::Execute (cx=0x7ffff6634900, script=..., envChain=..., rval=...)
    at js/src/vm/Interpreter.cpp:870
#16 0x0000555557b33f9f in ExecuteScript (cx=0x7ffff6634900, envChain=..., script=..., rval=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#17 0x0000555557b340c5 in JS_ExecuteScript (cx=0x7ffff6634900, scriptArg=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#18 0x00005555577ac02f in RunFile (cx=0x7ffff6634900, 
    filename=0x7ffff66aa160 "crash.js", file=0x7ffff7669020,                                            
    compileMethod=CompileUtf8::DontInflate, compileOnly=false, fullParse=false)
    at js/src/shell/js.cpp:1220
#19 0x00005555577ab8fc in Process (cx=0x7ffff6634900, 
    filename=0x7ffff66aa160 "crash.js", forceTTY=false, kind=FileScript)
    at js/src/shell/js.cpp:1800
#20 0x0000555557785471 in ProcessArgs (cx=0x7ffff6634900, op=0x7fffffffdd30)
    at js/src/shell/js.cpp:10875
#21 0x0000555557774047 in Shell (cx=0x7ffff6634900, op=0x7fffffffdd30)
    at js/src/shell/js.cpp:11137
#22 0x000055555776eec4 in main (argc=3, argv=0x7fffffffdf98) at js/src/shell/js.cpp:11541
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript: GC
Product: Firefox → Core
Assignee: nobody → jcoppeard
Severity: -- → S3
Priority: -- → P2
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6a6df375ff62 Maintain invariants when updating GC parameters for incremental limit r=sfink

https://hg.mozilla.org/mozilla-central/rev/6a6df375ff62

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox123: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 123 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: