Assertion failure: hasAllocatedBuffer() (the hash code scrambler is allocated in the buffer), at builtin/OrderedHashTableObject.h:1015
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox132 | --- | unaffected |
| firefox133 | --- | unaffected |
| firefox134 | --- | affected |
| firefox135 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
function f() {
new (function() {
function f() {};
(function() {
var x = new Map;
gc();
x.set({});
})();
})();
oomTest(f);
}
f();
(gdb) bt #0 js::detail::OrderedHashTableImpl<js::OrderedHashMapImpl<JS::Value, JS::Value, js::UnbarrieredHashPolicy>::Entry, js::OrderedHashMapImpl<JS::Value, JS::Value, js::UnbarrieredHashPolicy>::MapOps>::prepareHash (this=0x7fffffffac48, l=...) at /home/i32g7900a/trees/mozilla-central/js/src/builtin/OrderedHashTableObject.h:1014
#1 js::OrderedHashMapImpl<JS::Value, JS::Value, js::UnbarrieredHashPolicy>::hash (this=0x7fffffffac48, key=...) at /home/i32g7900a/trees/mozilla-central/js/src/builtin/OrderedHashTableObject.h:1316
#2 js::OrderedHashTableRef<js::MapObject>::trace(JSTracer*)::{lambda(JS::Value&)#1}::operator()(JS::Value&) const (this=this@entry=0x7fffffffaca0, key=...) at /home/i32g7900a/trees/mozilla-central/js/src/builtin/MapObject.cpp:519
#3 0x00005555573429ae in JS::GCVector<JS::Value, 0ul, js::SystemAllocPolicy>::mutableEraseIf<js::OrderedHashTableRef<js::MapObject>::trace(JSTracer*)::{lambda(JS::Value&)#1}>(js::OrderedHashTableRef<js::MapObject>::trace(JSTracer*)::{lambda(JS::Value&)#1}, unsigned long) (this=this@entry=0x7ffff6f22160, pred=..., startIndex=startIndex@entry=0) at /home/i32g7900a/shell-cache/js-dbg-64-linux-x86_64-d50cbcf0ded7/objdir-js/dist/include/js/GCVector.h:187
#4 0x000055555734255d in js::OrderedHashTableRef<js::MapObject>::trace (this=0x7ffff63c6038, trc=0x7fffffffb0e0) at /home/i32g7900a/trees/mozilla-central/js/src/builtin/MapObject.cpp:518
#5 0x0000555557c69442 in js::gc::StoreBuffer::GenericBuffer::trace (this=<optimized out>, trc=0x7fffffffb0e0, owner=0x7fffffffada0) at /home/i32g7900a/trees/mozilla-central/js/src/gc/StoreBuffer.cpp:69
/snip
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8785cdc16361
user: Jan de Mooij
date: Fri Nov 15 10:46:58 2024 +0000
summary: Bug 1928666 part 6 - Allocate the buffer lazily on the first put operation. r=jonco
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev d50cbcf0ded7.
Setting s-s just in case.
Jan/Steve, is bug 1928666 a likely regressor? I'm going to set an additional needinfo? for :sfink since Jan may just be gone for the weekend, feel free to punt this back if needed.
|
||
Updated•4 days ago
|
|
Assignee | |
Comment 1•4 days ago
|
||
Interesting OOM bug, good find. I think this can wait for me to take a look on Monday, I expect it to be a safe nullptr dereference.
|
||
Comment 2•4 days ago
|
||
Set release status flags based on info from the regressing bug 1928666
|
|
Assignee | |
Comment 3•1 day ago
|
||
This only affects debug builds because it's about the hash() calls for the MOZ_ASSERT here. The actual rekeying code handles this case correctly.
|
|
Assignee | |
Comment 4•1 day ago
|
||
The hash(..) assertion in OrderedHashTableRef::trace was triggering an assertion
failure if we allocated the nursery-keys vector but failed to allocate the buffer for
the Map/Set object.
Drive-by change to give the NurseryKeysVector some inline space because we always append
at least one entry.
|
|
Assignee | |
Updated•22 hours ago
|
|
||
Comment 6•13 hours ago
|
||
| bugherder | ||
Description
•