Assertion failure: !zone->uniqueIds().has(tgt), at gc/StableCellHasher-inl.h:140
Categories
(Core :: JavaScript: GC, defect, P2)
Tracking
()
People
(Reporter: gkw, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
var x = newGlobal().Int8Array;
for (let i = 0; i < 2; i++) {
function f() {}
oomTest(function() {
new x().__proto__ = f;
});
}
140 MOZ_ASSERT(!zone->uniqueIds().has(tgt));
(gdb) bt
#0 js::gc::TransferUniqueId (tgt=0x21fe74f86040, src=0xf0a8e501ca0) at /home/yksubu/trees/mozilla-central/js/src/gc/StableCellHasher-inl.h:140
#1 0x0000555557d3932a in js::Nursery::sweep (this=this@entry=0x7ffff66317f0) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1689
#2 0x0000555557d361a2 in js::Nursery::doCollection (this=this@entry=0x7ffff66317f0, session=..., options=options@entry=JS::GCOptions::Shutdown, reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1421
#3 0x0000555557d3563f in js::Nursery::collect (this=0x7ffff66317f0, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/Nursery.cpp:1175
#4 0x0000555557caf3ad in js::gc::GCRuntime::collectNursery (this=this@entry=0x7ffff662f798, options=JS::GCOptions::Shutdown, reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4735
#5 0x0000555557cae2e7 in js::gc::GCRuntime::collectNurseryFromMajorGC (this=0x7ffff662f798, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:3881
#6 js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff662f798, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME, budgetWasIncreased=false) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:3719
#7 0x0000555557cb194e in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff662f798, nonincrementalByAPI=true, budgetArg=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4307
#8 0x0000555557cb3254 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff662f798, nonincrementalByAPI=true, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4498
#9 0x0000555557c7fcba in js::gc::GCRuntime::gc (this=0x7ffff662f798, options=JS::GCOptions::Shutdown, reason=JS::GCReason::DESTROY_RUNTIME) at /home/yksubu/trees/mozilla-central/js/src/gc/GC.cpp:4575
#10 0x00005555576a11d0 in JSRuntime::destroyRuntime (this=0x7ffff662f000) at /home/yksubu/trees/mozilla-central/js/src/vm/Runtime.cpp:258
/snip
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/a8b602d1067a
user: Jon Coppeard
date: Wed May 10 08:27:02 2023 +0000
summary: Bug 1832044 - Part 5: Move some parts of allocation out of line r=sfink
Run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments
, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests
, tested on m-c rev 343e945a502e.
I do have at least one another testcase for this assertion failure that does not involve oomTest
but which cannot be reproduced.
Setting s-s to be safe. Jon, is bug 1832044 a likely regressor?
Updated•7 months ago
|
Comment 1•7 months ago
|
||
Set release status flags based on info from the regressing bug 1832044
Updated•7 months ago
|
Assignee | ||
Comment 2•7 months ago
|
||
We can have duplicates of the same cell in the Nursery::cellsWithUid_ vector,
e.g. if we repeatedly try to add a unique ID but fail half way through due to
OOM. That could lead to triggering this assertion than the target of an ID
trasfer doesn't already have an ID. However when this happens the source of the
transfer has already had the ID removed.
This case is handled by HashMap::rekeyAs, called from rekeyIfMoved in the
following line, as it first looks up the source cell in the map and does
nothing if it's not present.
The fix is to relax the assertion.
Updated•7 months ago
|
Updated•7 months ago
|
Updated•7 months ago
|
Assignee | ||
Updated•7 months ago
|
Comment 4•7 months ago
|
||
bugherder |
Updated•7 months ago
|
Updated•7 months ago
|
Reporter | ||
Updated•6 months ago
|
Updated•4 months ago
|
Description
•