Open Bug 1893577 Opened 10 months ago Updated 9 months ago

Crash in [@ OOM | large | js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | JS::Value::bitsFromTagAndPayload]

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

People

(Reporter: worcester12345, Unassigned)

References

(Blocks 2 open bugs)

Details

Crash report: https://crash-stats.mozilla.org/report/index/45c894f2-78c1-4bea-91ff-d223e0231219

MOZ_CRASH Reason: [unhandlable oom] Failed to allocate new chunk during GC

Top 10 frames:

0  xul.dll  MOZ_Crash(char const*, int, char const*)  mfbt/Assertions.h:281
0  xul.dll  js::AutoEnterOOMUnsafeRegion::crash(char const*)  js/src/vm/JSContext.cpp:1304
1  xul.dll  js::AutoEnterOOMUnsafeRegion::crash(unsigned long long, char const*)  js/src/vm/JSContext.cpp:1320
2  xul.dll  JS::Value::bitsFromTagAndPayload(JSValueTag, unsigned long long)  js/public/Value.h:561
2  xul.dll  JS::Value::setBigInt(JS::BigInt*)  js/public/Value.h:622
2  xul.dll  JS::BigIntValue(JS::BigInt*)  js/public/Value.h:1158
2  xul.dll  js::gc::TenuringTracer::traverse(JS::Value*)  js/src/gc/Tenuring.cpp:161
2  xul.dll  js::gc::TenuringTracer::traceSlots(JS::Value*, JS::Value*)  js/src/gc/Tenuring.cpp:448
2  xul.dll  js::gc::TenuringTracer::traceObjectSlots::<lambda_0>::operator()(js::HeapSlot...  js/src/gc/Tenuring.cpp:441
2  xul.dll  js::NativeObject::forEachSlotRangeUnchecked(unsigned int, unsigned int, js::g...  js/src/vm/NativeObject.h:766

The severity field is not set for this bug.
:mak, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mak)
Component: General → JavaScript: GC
Flags: needinfo?(mak)
Product: Firefox → Core

The stack is a bit broken … The TenuringTracer::traverse function is calling onNonForwardedNurseryBigInt which can it-self fail with the MOZ_CRASH reason [unhandlable oom] Failed to allocate new chunk during GC. The BigIntValue initialization is mixed up by the compiler and reported here.

Looking at the memory usage, and given that there is ~700 MB remaining, this bug would suggest to that we hit the soft-limit.

I would recommend to add a MOZ_CRASH next to the soft limit or to somehow bubble up using a Result type, such that the unhandlable oom can be reported as being a soft-limit.

Blocks: GC, sm-defects-crashes
Severity: -- → S4
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.