The default bug view has changed. See this FAQ.

Crash [@ js::gc::StartVerifyPreBarriers] with OOM

RESOLVED FIXED in mozilla27

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: terrence)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
mozilla27
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe):


gczeal(4);
oomAfterAllocations(1);
var s = new Set;
(Reporter)

Comment 1

4 years ago
Created attachment 802284 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

4 years ago
I'm not hitting this one too often, but when I'm trying to isolate another, more important OOM bug, I often end up hitting this one.
Blocks: 912928, 872823
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0b4e06782cda
user:        Steve Fink
date:        Mon May 20 12:59:55 2013 -0700
summary:     Bug 872823 - implement oomAfterAllocations testing function

This iteration took 325.707 seconds to run.
(Assignee)

Comment 4

4 years ago
I don't think that bug is the likely culprit, will try to investigate further today.
Assignee: general → terrence
(Assignee)

Comment 5

4 years ago
Created attachment 807447 [details] [diff] [review]
fuzz_914614-v0.diff

https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df

This is failing the alloc for the verifier data, which is not currently guarded against OOM. With GGC enabled, this migrates into the middle of Nursery::collect, where OOM is immediately fatal. To address the test failure on SM(ggc), I've added an AutoEnterOOMUnsafeRegion, which disables OOM debugging while live.
Attachment #807447 - Flags: review?(wmccloskey)
Comment on attachment 807447 [details] [diff] [review]
fuzz_914614-v0.diff

Review of attachment 807447 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the late review.

::: js/public/Utility.h
@@ +80,5 @@
>  extern JS_PUBLIC_DATA(uint32_t) OOM_maxAllocations; /* set in builtins/TestingFunctions.cpp */
>  extern JS_PUBLIC_DATA(uint32_t) OOM_counter; /* data race, who cares. */
>  
> +/* Disable OOM testing in sections which are not OOM safe. */
> +class JS_PUBLIC_API(AutoEnterOOMUnsafeRegion)

There's no reason this needs to be part of the public API. Can you move it somewhere else? I think jsgc.h would be fine for now. Also, it should be in a the js:: namespace.
Attachment #807447 - Flags: review?(wmccloskey) → review+
(Assignee)

Comment 7

4 years ago
Right, OOM_max_allocations is extern, so we can set it from wherever. Thanks, Bill, that's much nicer!

https://tbpl.mozilla.org/?tree=Try&rev=a3eb21a247df

https://hg.mozilla.org/integration/mozilla-inbound/rev/009c19c0af05
(Assignee)

Updated

4 years ago
Duplicate of this bug: 915497
https://hg.mozilla.org/mozilla-central/rev/009c19c0af05
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.