1909003 - Assertion failure: !storeBuffer().mayHavePointersToDeadCells(), at gc/Sweeping.cpp:2368

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug shell stack

gczeal(17);
transplantableObject().transplant(newGlobal());
gc();

2368      MOZ_ASSERT(!storeBuffer().mayHavePointersToDeadCells());
(gdb) bt
#0  js::gc::GCRuntime::performSweepActions (this=0x7ffff662c798, budget=...) at /home/giga16g/trees/mozilla-central/js/src/gc/Sweeping.cpp:2368
#1  0x0000555557cc427b in js::gc::GCRuntime::incrementalSlice (this=this@entry=0x7ffff662c798, budget=..., reason=reason@entry=JS::GCReason::RESET, budgetWasIncreased=<optimized out>) at /home/giga16g/trees/mozilla-central/js/src/gc/GC.cpp:3883
#2  0x0000555557cc730e in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff662c798, nonincrementalByAPI=true, budgetArg=..., reason=JS::GCReason::RESET, reason@entry=JS::GCReason::API) at /home/giga16g/trees/mozilla-central/js/src/gc/GC.cpp:4385
#3  0x0000555557cc8c64 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff662c798, nonincrementalByAPI=true, budget=..., reason=reason@entry=JS::GCReason::API) at /home/giga16g/trees/mozilla-central/js/src/gc/GC.cpp:4576
#4  0x0000555557c9400a in js::gc::GCRuntime::gc (this=0x7ffff662c798, options=JS::GCOptions::Normal, reason=JS::GCReason::API) at /home/giga16g/trees/mozilla-central/js/src/gc/GC.cpp:4653
#5  0x0000555557cf11bc in JS::NonIncrementalGC (cx=cx@entry=0x7ffff6636100, options=options@entry=JS::GCOptions::Normal, reason=reason@entry=JS::GCReason::API) at /home/giga16g/trees/mozilla-central/js/src/gc/GCAPI.cpp:298
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/417d42aa08ef
user:        Jon Coppeard
date:        Fri Jul 12 09:33:13 2024 +0000
summary:     Bug 1871303 - Ensure there is no more marking at the start of sweeping r=sfink

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --no-ggc, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 0614dadb2b13.

Setting s-s to be safe. Jon, is bug 1871303 a likely regressor?

(Please set a regressed-by entry to bug 1871303 - I cannot add it as it is marked as s-s)

Comment 2

[Steve Fink [:sfink] [:s:]]

This is an excessive assertion due to disabling generational GC. --disable-ggc makes the store buffer disabled, but that does not stop transplant from setting the mayHavePointersToDeadCells_ to true and it later being checked.

Comment 3

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1909003 - It doesn't matter if a disabled store buffer thinks it may have pointers to dead cells. It does not.

Comment 4

[Steve Fink [:sfink] [:s:]]

Attachment: Bug 1909003 - Allow disabling the nursery via gcparam

Comment 5

[Andrew McCreight [:mccr8]]

Unhiding because this sounds like an overly strict assertion.

Comment 6

[Phabricator Automation]

Comment on attachment 9413937 [details]
Bug 1909003 - Allow disabling the nursery via gcparam

Revision D217186 was moved to bug 1906255. Setting attachment 9413937 [details] to obsolete.

Comment 7

[Pulsebot]

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e29bffa8e7de
It doesn't matter if a disabled store buffer thinks it may have pointers to dead cells. It does not. r=jonco

Comment 8

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/e29bffa8e7de

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:sfink, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox129 to wontfix.

For more information, please visit BugBot documentation.