Closed Bug 1542279 Opened 6 years ago Closed 6 years ago

Assertion failure: newMaxNurseryChunks > 0, at js/src/gc/Nursery.cpp:1243

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: gkw, Assigned: pbone)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

Detailed Crash Information
(deleted), text/plain
Details
Bug 1542279 - Guard against overflow when calculating the new max chunks r?jonco
(deleted), text/x-phabricator-request
Details
Bug 1542279 - Fix a problem with rounding down to zero r?jonco
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 93075ec49df3 (build with --target=i686-pc-linux --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests --disable-cranelift, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

gcparam('maxNurseryBytes', 2 ** 32 - 1);

Backtrace:

#0 js::Nursery::maybeResizeExact (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:1243
#1 0x57ed0d37 in js::Nursery::maybeResizeNursery (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:1171
#2 0x57ecd94e in js::Nursery::collect (this=0xf6b1a190, reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/Nursery.cpp:795
#3 0x57e5366e in js::gc::GCRuntime::minorGC (this=0xf6b183e8, reason=JS::GCReason::DESTROY_RUNTIME, phase=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at js/src/gc/GC.cpp:7828
#4 0x57e529e7 in js::gc::GCRuntime::gcCycle (this=0xf6b183e8, nonincrementalByAPI=<optimized out>, budget=..., reason=JS::GCReason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7403
/snip

For detailed crash information, see attachment.

Attached file Detailed Crash Information (deleted) — 

  

  



    
    

    
  
autobisectjs shows this is probably related to the following changeset:


The first bad revision is:

changeset:   https://hg.mozilla.org/mozilla-central/rev/8aaeb14dfc0c

user:        Paul Bone

date:        Fri Mar 22 05:15:38 2019 +0000

summary:     Bug 1531626 - (part 4) Always round-nearest for nursery size r=jonco


Paul, is bug 1531626 a likely regressor?



  

  


Flags: needinfo?(pbone)
Regressed by: 1531626

    
  
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(pbone)
Priority: -- → P2

    
    

    
  


  

  

  



    
    

    
  


  
Depends on D26462



  

  



        Attachment #9056468 -
        Attachment description: Bug 1542279 - Fix another problem with rounding down to zero r?jonco → Bug 1542279 - Fix a problem with rounding down to zero r?jonco

    
    

    
  
Pushed by pbone@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/142748fa228e
Guard against overflow when calculating the new max chunks r=jonco
https://hg.mozilla.org/integration/autoland/rev/8e4e52017c5d
Fix a problem with rounding down to zero r=jonco

  

  



    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/142748fa228e

https://hg.mozilla.org/mozilla-central/rev/8e4e52017c5d



  

  


Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox68:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: