Closed Bug 914601 Opened 9 years ago Closed 9 years ago

Assertion failure: ok, at ../vm/GlobalObject.h:415 with OOM and ParallelArray

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: decoder, Assigned: till)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase asserts on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe --ion-eager):


oomAfterAllocations(51);
var p = new ParallelArray([1,2,3,4]);
I'm seeing this assertion very frequently, but stacks vary. I'll try to figure out if there are more tests. At least one stack contains Intl instead of ParallelArray, others contain neither one nor the other.
Blocks: 912928, 872823
Summary: Assertion failure: ok, at ../vm/GlobalObject.h:415 with OOM → Assertion failure: ok, at ../vm/GlobalObject.h:415 with OOM and ParallelArray
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/23dda916c3d0
user:        Shu-yu Guo
date:        Sat May 11 22:39:46 2013 -0700
summary:     Bug 860965 - Part 1: Copy 1D ParallelArray operations to Array. (r=luke,nmatsakis)

This iteration took 327.077 seconds to run.
The assert is that a JS_DefineProperty in GlobalObject::getSelfHostedValue or whichever never fails.  Why we're asserting this, when the method has a perfectly reasonable bool failure return that could be propagated, I'm not entirely sure.
The best explanation I can come up with is luke's request to add an assert that *getting* a self-hosted function succeeded: https://bugzilla.mozilla.org/show_bug.cgi?id=462300#c56

This then morphed (through emergent behavior nobody's responsible for) into the current weird construct. Will attach a patch to cut back the uncontrolled growth.
Thanks for taking this OOM bug, Till!
Assignee: general → till
Just removing this should be fine and all that's needed
Attachment #802967 - Flags: review?(terrence)
Comment on attachment 802967 [details] [diff] [review]
Remove non-required, crashing-on-oom assert in GlobalObject::getIntrinsicValue.

Review of attachment 802967 [details] [diff] [review]:
-----------------------------------------------------------------

Yup. r=me
Attachment #802967 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/38bcba92aa14
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.