Closed
Bug 1455709
Opened 7 years ago
Closed 7 years ago
Assertion failure: bytes_ >= bytesAtStartOfGC_, at js/src/gc/GC.cpp:2040
Categories
(Core :: JavaScript Engine, defect, P5)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | wontfix |
| firefox59 | --- | wontfix |
| firefox60 | --- | wontfix |
| firefox61 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
(deleted),
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cc0d7de218cb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):
gcslice(0);
function testChangeParam(key) {
let prev = gcparam(key);
gcparam(key, prev);
}
testChangeParam("maxMallocBytes");
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000000000ec1138 in js::gc::MemoryCounter::updateOnGCEnd (this=this@entry=0x7ffff5f37878, tunables=..., lock=...) at js/src/gc/GC.cpp:2040
#1 0x0000000000ee25de in JS::Zone::updateAllGCMallocCountersOnGCEnd (lock=..., this=0x7ffff5f37000) at js/src/gc/Zone.h:432
#2 js::gc::GCRuntime::endSweepingSweepGroup (this=0x7ffff5f19700, fop=<optimized out>, budget=...) at js/src/gc/GC.cpp:5800
#3 0x0000000000f13500 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f16330, args#0=0x7ffff5f19700, args#1=0x7fffffffd370, args#2=...) at js/src/gc/GC.cpp:6368
#4 0x0000000000f13aa5 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0x7ffff5f271c0, args#0=0x7ffff5f19700, args#1=0x7fffffffd370, args#2=...) at js/src/gc/GC.cpp:6429
#5 0x0000000000eb6d5b in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff5f19700, budget=...) at js/src/gc/GC.cpp:6597
#6 0x0000000000ee6e35 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff5f19700, budget=..., reason=reason@entry=JS::gcreason::API, session=...) at js/src/gc/GC.cpp:7149
#7 0x0000000000ee80a3 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f19700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/gc/GC.cpp:7478
#8 0x0000000000ee8735 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f19700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/gc/GC.cpp:7621
#9 0x0000000000ee9291 in js::gc::GCRuntime::finishGC (this=0x7ffff5f19700, reason=reason@entry=JS::gcreason::API) at js/src/gc/GC.cpp:7730
#10 0x0000000000ee9ddf in JS::FinishIncrementalGC (cx=cx@entry=0x7ffff5f15000, reason=reason@entry=JS::gcreason::API) at js/src/gc/GC.cpp:8545
#11 0x0000000000ee9e07 in js::gc::FinishGC (cx=cx@entry=0x7ffff5f15000) at js/src/gc/GC.cpp:7897
#12 0x000000000042f869 in CancelOffThreadJobsForRuntime (cx=cx@entry=0x7ffff5f15000) at js/src/shell/js.cpp:399
#13 0x0000000000444239 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9252
rax 0x0 0
rbx 0x7ffff5f37878 140737319762040
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffd1b0 140737488343472
rsp 0x7fffffffd190 140737488343440
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7ffff5f37888 140737319762056
r13 0x7ffff5f1a428 140737319642152
r14 0x0 0
r15 0x7ffff5f37000 140737319759872
rip 0xec1138 <js::gc::MemoryCounter::updateOnGCEnd(js::gc::GCSchedulingTunables const&, js::AutoLockGC const&)+360>
=> 0xec1138 <js::gc::MemoryCounter::updateOnGCEnd(js::gc::GCSchedulingTunables const&, js::AutoLockGC const&)+360>: movl $0x0,0x0
0xec1143 <js::gc::MemoryCounter::updateOnGCEnd(js::gc::GCSchedulingTunables const&, js::AutoLockGC const&)+371>: ud2
Likely shell-only or debug-only bug.
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5192e1ad48e7
user: Jon Coppeard
date: Thu Oct 26 10:03:51 2017 +0100
summary: Bug 1408375 - Move malloc threshold check to malloc allocation r=sfink
This iteration took 270.804 seconds to run.
Jon, is bug 1408375 a likely regressor?
Blocks: 1408375
Flags: needinfo?(jcoppeard)
|
Assignee | |
Updated•7 years ago
|
Priority: -- → P5
|
|
Assignee | |
Comment 3•7 years ago
|
||
I'm not sure why we reset() the MemoryCounter if we change maxBytes_. It certainly messes up this assertion and means you can't set it during a GC. It seems fine to take this out.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8970469 -
Flags: review?(sphink)
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8970469 [details] [diff] [review]
bug1455709-malloc-bytes
Review of attachment 8970469 [details] [diff] [review]:
-----------------------------------------------------------------
Yes, this seems better.
Attachment #8970469 -
Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/37320f8b708c
Don't reset count of allocated bytes when max malloc parameter is changed r=sfink
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Updated•7 years ago
|
status-firefox59:
--- → wontfix
status-firefox60:
--- → wontfix
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•