1947967 - Assertion failure: gMappedMemorySizeBytes == 0, at gc/Memory.cpp:468 or Assertion failure: bytes <= gMappedMemorySizeBytes, at gc/Memory.cpp:1151

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20250212-d5ed6c63e908 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-regexp-modifiers test.js):

a = [];
for (b = 0;;) a.push(b);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x5bcd5686 in js::gc::CheckMemorySubsystemOnShutDown() ()
#1  0x5b5e5303 in ShutdownImpl(JS::detail::FrontendOnly) ()
#2  0x5b27b950 in main ()
eax	0x0	0
ebx	0x5cd8ca68	1557711464
ecx	0x1d4	468
edx	0xef6fa9a8	-277894744
esi	0x0	0
edi	0x3	3
ebp	0xffeaa648	4293568072
esp	0xffeaa640	4293568064
eip	0x5bcd5686 <js::gc::CheckMemorySubsystemOnShutDown()+70>
=> 0x5bcd5686 <_ZN2js2gc30CheckMemorySubsystemOnShutDownEv+70>:	mov    %ecx,(%eax)
   0x5bcd5688 <_ZN2js2gc30CheckMemorySubsystemOnShutDownEv+72>:	call   0x5b311090 <abort>

Test runs for a while then asserts in a 32-bit debug build. Fuzzblocker because this happens pretty often.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20250213093644-53b5bbe21356.
The bug appears to have been introduced in the following build range:

Start: f09484fc3cc8e58574ced80f5d13faf97cfaa552 (20250211102646)
End: b4d8ef8d9d2ddbaf808f5241b7fe20249970a947 (20250211121232)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f09484fc3cc8e58574ced80f5d13faf97cfaa552&tochange=b4d8ef8d9d2ddbaf808f5241b7fe20249970a947

Comment 4

[Mayank Bansal]

Jonco?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1811927

Comment 6

[Jon Coppeard (:jonco)]

Attachment: Bug 1947967 - Fix recording of allocated memory around OOMs r?jandem

I didn't notice that we handle failing due to OOM and successfully allcoating
an aligned block together in a couple of places. This meant we could record a
memory allocation on OOM.

I changed the code to handle failure more explicitly.

I wasn't able to add a test case because it requires exhausting memory.

Comment 7

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/05976fa9c1b7
Fix recording of allocated memory around OOMs r=jandem

Comment 8

[amarc]

https://hg.mozilla.org/mozilla-central/rev/05976fa9c1b7

Comment 9

[Bugmon [:jkratzer for issues]]

Testcase crashes using the initial build (mozilla-central 20250212110129-d5ed6c63e908) but not with tip (mozilla-central 20250214215152-8e442c6e7765.)

The bug appears to have been fixed in the following build range:

Start: 4e2106fbb54e2950384b11165794e967b301fb49 (20250214112652)
End: 84f890216031ee2b59a11ed3a0fb2d2b14daee4e (20250214131650)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4e2106fbb54e2950384b11165794e967b301fb49&tochange=84f890216031ee2b59a11ed3a0fb2d2b14daee4e

jonco, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 10

[Jon Coppeard (:jonco)]

(In reply to Bugmon [:jkratzer for issues] from comment #9)

jonco, can you confirm that the above bisection range is responsible for fixing this issue?
Confirmed.