Closed Bug 914614 Opened 12 years ago Closed 12 years ago

Crash [@ js::gc::StartVerifyPreBarriers] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: decoder, Assigned: terrence)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
507 bytes, text/plain
Details
fuzz_914614-v0.diff
4.43 KB, patch
billm
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe): gczeal(4); oomAfterAllocations(1); var s = new Set;
I'm not hitting this one too often, but when I'm trying to isolate another, more important OOM bug, I often end up hitting this one.
Blocks: 912928, 872823
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/0b4e06782cda user: Steve Fink date: Mon May 20 12:59:55 2013 -0700 summary: Bug 872823 - implement oomAfterAllocations testing function This iteration took 325.707 seconds to run.
I don't think that bug is the likely culprit, will try to investigate further today.
Assignee: general → terrence
https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df This is failing the alloc for the verifier data, which is not currently guarded against OOM. With GGC enabled, this migrates into the middle of Nursery::collect, where OOM is immediately fatal. To address the test failure on SM(ggc), I've added an AutoEnterOOMUnsafeRegion, which disables OOM debugging while live.
Attachment #807447 - Flags: review?(wmccloskey)
Comment on attachment 807447 [details] [diff] [review] fuzz_914614-v0.diff Review of attachment 807447 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the late review. ::: js/public/Utility.h @@ +80,5 @@ > extern JS_PUBLIC_DATA(uint32_t) OOM_maxAllocations; /* set in builtins/TestingFunctions.cpp */ > extern JS_PUBLIC_DATA(uint32_t) OOM_counter; /* data race, who cares. */ > > +/* Disable OOM testing in sections which are not OOM safe. */ > +class JS_PUBLIC_API(AutoEnterOOMUnsafeRegion) There's no reason this needs to be part of the public API. Can you move it somewhere else? I think jsgc.h would be fine for now. Also, it should be in a the js:: namespace.
Attachment #807447 - Flags: review?(wmccloskey) → review+
Right, OOM_max_allocations is extern, so we can set it from wherever. Thanks, Bill, that's much nicer! https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df https://hg.mozilla.org/integration/mozilla-inbound/rev/009c19c0af05
https://hg.mozilla.org/mozilla-central/rev/009c19c0af05
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: