Closed
Bug 1540670
Opened 6 years ago
Closed 6 years ago
Assertion failure: (chunkno == currentChunk_ + 1) || (chunkno == 0 && allocatedChunkCount() == 0), at js/src/gc/Nursery.cpp:1150 with gcparam
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | fixed |
People
(Reporter: decoder, Assigned: pbone)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision c06dfc552c64 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
gcparam('minNurseryBytes', 0);
gczeal(4);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::Nursery::allocateNextChunk (this=this@entry=0x7ffff5f1f180, chunkno=chunkno@entry=0, lock=...) at js/src/gc/Nursery.cpp:1149
#1 0x0000555556030ac5 in js::Nursery::enable (this=0x7ffff5f1f180) at js/src/gc/Nursery.cpp:194
#2 0x0000555556048343 in js::VerifyPreTracer::~VerifyPreTracer (this=0x7ffff4df92a0, __in_chrg=<optimized out>) at js/src/gc/Verifier.cpp:115
#3 js_delete<js::VerifyPreTracer> (p=0x7ffff4df92a0) at dist/include/js/Utility.h:537
#4 js::gc::GCRuntime::endVerifyPreBarriers (this=0x7ffff5f1c6b8) at js/src/gc/Verifier.cpp:395
#5 0x0000555555fe3222 in js::gc::AutoStopVerifyingBarriers::AutoStopVerifyingBarriers (isShutdown=true, rt=<optimized out>, this=0x7fffffffd480) at js/src/gc/GCInternals.h:114
#6 js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f1c6b8, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7603
#7 0x0000555555fe3759 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff5f1c6b8, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7697
#8 0x0000555555be6a5f in JSRuntime::destroyRuntime (this=this@entry=0x7ffff5f1c000) at js/src/vm/Runtime.cpp:284
[...]
#12 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11171
rax 0x555557c22240 93825032921664
rbx 0x1 1
rcx 0x555556bb6ac8 93825015704264
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffced0 140737488342736
rsp 0x7fffffffceb0 140737488342704
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff5f1f180 140737319661952
r13 0x7ffff5f1d688 140737319655048
r14 0x7fffffffcef0 140737488342768
r15 0x7ffff4df92a0 140737301680800
rip 0x5555560306b5 <js::Nursery::allocateNextChunk(unsigned int, js::AutoLockGCBgAlloc&)+309>
=> 0x5555560306b5 <js::Nursery::allocateNextChunk(unsigned int, js::AutoLockGCBgAlloc&)+309>: movl $0x0,0x0
0x5555560306c0 <js::Nursery::allocateNextChunk(unsigned int, js::AutoLockGCBgAlloc&)+320>: ud2
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/8a86347f3fd6 user: Paul Bone date: Fri Mar 22 05:16:21 2019 +0000 summary: Bug 1531626 - (part 6) Introduce a GC_MIN_NURSERY_BYTES parameter r=jonco This iteration took 514.738 seconds to run.
|
Assignee | |
Comment 3•6 years ago
|
||
Yep, no worries.
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Flags: needinfo?(pbone)
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 5•6 years ago
|
||
The nursery uses capacity_ == 0 to determine if it is disabled. This patch
avoids setting the capacity to zero by requring the minimum size to be at
least ArenaSize (usually 1 page).
Depends on D25716
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9faed6c4e969 Only re-enable the nursery if generation GC is configured r=jonco https://hg.mozilla.org/integration/autoland/rev/02b9a8e35a2a Forbid a nursery size of 0 r=jonco
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9faed6c4e969
https://hg.mozilla.org/mozilla-central/rev/02b9a8e35a2a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Comment 8•6 years ago
|
||
Should we land a test for this?
status-firefox66:
--- → unaffected
status-firefox67:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: needinfo?(pbone)
|
|
Assignee | |
Comment 9•6 years ago
|
||
Probably, I don't remember why I didn't.
Status: RESOLVED → VERIFIED
Flags: needinfo?(pbone)
|
|
Assignee | |
Updated•6 years ago
|
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 10•6 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 9982d52f7ba8).
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 11•6 years ago
|
||
|
||
Comment 12•6 years ago
|
||
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/153dd24bb372 I forgot to "hg add" the new test case r=jonco
|
|
||
Comment 13•6 years ago
|
||
| bugherder | ||
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•