957110 - GenerationalGC: Assertion failure: currentStart_ == start(), at gc/Nursery.cpp:103 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 325c74addeba (run with --fuzzing-safe):


gczeal(7,1);
try {
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
newGlobal("same-compartment");
} catch(exc1) {}
gczeal(1);

Comment 1

[Jon Coppeard (:jonco)]

Attachment: bug957110-nursery-empty-assertion

This testcase turns on nursery zeal mode and then sets a low gcMaxBytes allocation threshold.  This results in the nursery being disabled after attempting to allocate the new global.  When we leave nursery zeal mode, the current chunk is not set to zero because the nursery is disabled.  This is not actually a problem because it will be set when the nursery is re-enabled again.  So the fix is to weaken the failing assert so that it the current start is not checked if the nursery is disabled.

Comment 2

[Terrence Cole [:terrence]]

Comment on attachment 8357785 [details] [diff] [review]
bug957110-nursery-empty-assertion

Review of attachment 8357785 [details] [diff] [review]:
-----------------------------------------------------------------

I could have sworn I found and fixed the same issue when testing the zeal7 robustness rewrite a few months ago. Oh well, this is the correct fix. r=me

Comment 3

[Jon Coppeard (:jonco)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/cbe9f7791348

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/cbe9f7791348