Closed
Bug 992866
Opened 10 years ago
Closed 10 years ago
Assertion failure: js::gc::IsInsideNursery(rt, value.toGCThing()), at jsobj.h:686
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox29 | --- | unaffected |
firefox30 | --- | unaffected |
firefox31 | --- | verified |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
472 bytes,
text/plain
|
Details | |
1.85 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 5405d6f4e3c6 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-eager): try { for (var v of a) {} } catch(exc1) {} test(range(0, 64), "map", function (... ArrayBuffer) { var x = []; for (var i = 0; i < 10; i++) { x[i] = { f1: v, f2: v, f3: v, } } }); function range(n, m) { var result = []; for (var i = n; i < m; i++) result.push(i); return result; } function test(arr, op, func) { while (true) (function (m) { return arr[op + "Par"].apply(arr, [func, m]); })(); }
Reporter | ||
Comment 1•10 years ago
|
||
Marking s-s because this is a GGC assertion. I'm also seeing crashes [@ IsInsideNursery] but I'm not sure yet if that's the same issue.
status-firefox31:
--- → affected
Component: JavaScript Engine → JavaScript: GC
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Comment 2•10 years ago
|
||
Comment 3•10 years ago
|
||
I've reduced this to: test([0], "map", function (... Object) { var x = []; for (var i = 0; i < 10; i++) { x[i] = {}; } }); function test(arr, op, func) { while (true) arr[op + "Par"].apply(arr, [func, undefined]); } configure --without-intl-api --enable-debug --disable-optimize no shell flags Likely a PJS + GGC problem. Will keep looking for a bit.
Comment 4•10 years ago
|
||
Yeah, I don't understand enough of the PJS/GGC interaction here. The crash is in initDenseElementsUnbarriered called by js::jit::InitRestParameterPar. It's copying over a set of three values: 0, 0, and [0], where [0] is the 'arr' in the above code. Note that the 'Object' in the last comment is irrelevant. You can call the parameter anything. Stack is: #0 0x00000000007e8c53 in JSObject::initDenseElementsUnbarriered (this= (JSObject * const) 0x7fffefe5d040 [object Array], dstStart=0, src= 0x7fffffff8d60, count=3) at /home/sfink/src/MI-GC/js/src/jsobj.h:686 #1 0x00000000007d19bc in js::jit::InitRestParameterPar (cx=0x7fffffff8f40, length=3, rest=0x7fffffff8d60, templateObj= (JSObject * const) 0x7fffefe5b460 [object Array], res= (JSObject * const) 0x7fffefe5d040 [object Array]) at /home/sfink/src/MI-GC/js/src/jit/ParallelFunctions.cpp:660 #2 0x00007ffff7fce10f in ?? () Paging Dr. Shu.
Flags: needinfo?(shu)
Comment 5•10 years ago
|
||
Are you sure this isn't a typo in the assert? Why is it asserting that all values in the source array are in the nursery? Shouldn't it be asserting the opposite: that none of them is in the nursery?
Flags: needinfo?(shu)
Updated•10 years ago
|
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 6•10 years ago
|
||
Shu's right - I got the assertion the wrong way round. Nothing here should be in the nursery.
Assignee: nobody → jcoppeard
Attachment #8406018 -
Flags: review?(sphink)
Flags: needinfo?(jcoppeard)
Comment 7•10 years ago
|
||
Comment on attachment 8406018 [details] [diff] [review] bug992866-initDenseElementsUnbarriered Review of attachment 8406018 [details] [diff] [review]: ----------------------------------------------------------------- Ah! That makes sense. Sorry, I should have figured that out.
Attachment #8406018 -
Flags: review?(sphink) → review+
Comment 8•10 years ago
|
||
Comment on attachment 8406018 [details] [diff] [review] bug992866-initDenseElementsUnbarriered Review of attachment 8406018 [details] [diff] [review]: ----------------------------------------------------------------- Don't forget |if (!getBuildConfiguration().parallelJS) exit();| or something to that effect in the tests.
Assignee | ||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6bccf46b48d0
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 10•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/786057e01ef3 user: Terrence Cole date: Wed Feb 05 10:04:16 2014 -0800 summary: Bug 619558 - Enable generational GC on desktop; r=sfink, sr=naveed This iteration took 1.288 seconds to run.
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6bccf46b48d0
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 12•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 13•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #11) > https://hg.mozilla.org/mozilla-central/rev/6bccf46b48d0 Why did this go in with no security rating or sec-approval? This would affect Firefox 30... Do we need to backport to Beta?
Flags: needinfo?(ryanvm)
Comment 14•10 years ago
|
||
From the looks of comment 9, that's a question better asked of Jon...
Flags: needinfo?(ryanvm) → needinfo?(jcoppeard)
Assignee | ||
Comment 15•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13) Sorry, I should have got sec-approval, my bad. That said, I don't think this is actually security sensitive. It's an assertion failure, not a stray memory access, and the assertion was wrong anyway so it wasn't indicating a real problem at all. It's also dependent on parallel JS being enabled, which I think currently only happens in nightly.
Flags: needinfo?(jcoppeard)
Comment 16•10 years ago
|
||
Ah, yeah, if it is PJS, then it is trunk only, and does not need sec-approval. I'm just going to unhide this, then, if it is just a bogus assert.
Updated•10 years ago
|
Comment 17•10 years ago
|
||
Verified fixed as per test coverage.
You need to log in
before you can comment on or make changes to this bug.
Description
•