Closed
Bug 1585159
Opened 5 years ago
Closed 5 years ago
Assertion failure: newCapacity < capacity_, at js/src/gc/Nursery.cpp:1529
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla71
People
(Reporter: decoder, Assigned: pbone)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision aa8f530a1a35 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off test.js):
gcparam("minNurseryBytes", 1024 * 1024);
let lfPromise = import("javascript: " + ``);
gcparam("maxBytes", gcparam("gcBytes") + 4 * (true));
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::Nursery::shrinkAllocableSpace (this=0x7fd50b72c300, newCapacity=1048576) at js/src/gc/Nursery.cpp:1529
#1 0x0000563893af667c in js::Nursery::minimizeAllocableSpace (this=<optimized out>) at js/src/gc/Nursery.cpp:1554
#2 js::Nursery::maybeResizeExact (this=0x7fd50b72c300, reason=<optimized out>) at js/src/gc/Nursery.cpp:1407
#3 0x0000563893af68c7 in js::Nursery::maybeResizeNursery (this=0x7fd50b72c300, reason=<optimized out>) at js/src/gc/Nursery.cpp:1352
#4 0x0000563893b07055 in js::Nursery::collect (this=0x7fd50b72c300, reason=reason@entry=JS::GCReason::LAST_DITCH) at js/src/gc/Nursery.cpp:930
#5 0x0000563893a7c537 in js::gc::GCRuntime::minorGC (this=this@entry=0x7fd50b729718, reason=reason@entry=JS::GCReason::LAST_DITCH, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY_FOR_MAJOR_GC) at js/src/gc/GC.cpp:7534
#6 0x0000563893aa9d2b in js::gc::GCRuntime::gcCycle (this=this@entry=0x7fd50b729718, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., gckind=..., reason=reason@entry=JS::GCReason::LAST_DITCH) at js/src/gc/GC.cpp:7101
#7 0x0000563893aaa60e in js::gc::GCRuntime::collect (this=this@entry=0x7fd50b729718, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., gckindArg=..., reason=reason@entry=JS::GCReason::LAST_DITCH) at js/src/gc/GC.cpp:7321
#8 0x0000563893aaabf5 in js::gc::GCRuntime::gc (this=this@entry=0x7fd50b729718, gckind=gckind@entry=GC_SHRINK, reason=reason@entry=JS::GCReason::LAST_DITCH) at js/src/gc/GC.cpp:7403
#9 0x0000563893aaac73 in js::gc::GCRuntime::attemptLastDitchGC (this=0x7fd50b729718, cx=0x7fd50b727000) at js/src/gc/Allocator.cpp:315
#10 0x0000563893ae6e7a in js::gc::GCRuntime::tryNewTenuredThing<JSObject, (js::AllowGC)1> (thingSize=<optimized out>, kind=js::gc::AllocKind::FUNCTION_EXTENDED, cx=0x7fd50b727000) at js/src/gc/Allocator.cpp:279
#11 js::gc::GCRuntime::tryNewTenuredObject<(js::AllowGC)1> (cx=cx@entry=0x7fd50b727000, kind=<optimized out>, thingSize=thingSize@entry=80, nDynamicSlots=nDynamicSlots@entry=0) at js/src/gc/Allocator.cpp:138
#12 0x0000563893ae71b7 in js::AllocateObject<(js::AllowGC)1> (cx=cx@entry=0x7fd50b727000, kind=kind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, nDynamicSlots=nDynamicSlots@entry=0, heap=heap@entry=js::gc::TenuredHeap, clasp=clasp@entry=0x56389587a4a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:81
#13 0x000056389353e775 in JSFunction::create (cx=0x7fd50b727000, kind=<optimized out>, heap=js::gc::TenuredHeap, shape=..., group=...) at js/src/vm/JSFunction-inl.h:116
#14 0x00005638935080d9 in NewObject (cx=<optimized out>, group=..., kind=<optimized out>, newKind=js::SingletonObject, initialShapeFlags=<optimized out>) at js/src/vm/JSObject.cpp:795
#15 0x0000563893508a56 in js::NewObjectWithClassProtoCommon (cx=<optimized out>, cx@entry=0x7fd50b727000, clasp=clasp@entry=0x56389587a4a0 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=newKind@entry=js::SingletonObject) at js/src/vm/JSObject.cpp:932
#16 0x000056389351564b in js::NewObjectWithClassProto (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., clasp=0x56389587a4a0 <JSFunction::class_>, cx=0x7fd50b727000) at js/src/vm/JSObject-inl.h:493
#17 js::NewObjectWithClassProto<JSFunction> (newKind=js::SingletonObject, allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, proto=..., cx=0x7fd50b727000) at js/src/vm/JSObject-inl.h:515
#18 js::NewFunctionWithProto (cx=0x7fd50b727000, native=0x0, nargs=2, flags=..., enclosingEnv=..., atom=..., proto=..., allocKind=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=js::SingletonObject) at js/src/vm/JSFunction.cpp:2101
#19 0x0000563893515927 in js::NewScriptedFunction (cx=<optimized out>, cx@entry=0x7fd50b727000, nargs=nargs@entry=2, flags=flags@entry=..., atom=atom@entry=..., proto=proto@entry=..., allocKind=allocKind@entry=js::gc::AllocKind::FUNCTION_EXTENDED, newKind=js::SingletonObject, enclosingEnvArg=...) at js/src/vm/JSFunction.cpp:2064
#20 0x0000563893642aa9 in JSRuntime::createLazySelfHostedFunctionClone (this=0x7fd50b729000, cx=0x7fd50b727000, selfHostedName=selfHostedName@entry=..., name=..., name@entry=..., nargs=nargs@entry=2, proto=proto@entry=..., newKind=js::SingletonObject, fun=...) at js/src/vm/SelfHosting.cpp:3131
#21 0x000056389349e3be in js::GlobalObject::getSelfHostedFunction (cx=<optimized out>, global=..., selfHostedName=selfHostedName@entry=..., name=..., name@entry=..., nargs=nargs@entry=2, funVal=funVal@entry=...) at js/src/vm/GlobalObject.cpp:996
#22 0x00005638937fe774 in JS::NewFunctionFromSpec (cx=<optimized out>, fs=fs@entry=0x563895870ca8 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions+40>, id=..., id@entry=...) at js/src/jsapi.cpp:3305
#23 0x00005638934fe0bf in DefineFunctionFromSpec (intrinsic=js::NotIntrinsic, flags=<optimized out>, fs=0x563895870ca8 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions+40>, obj=..., cx=<optimized out>) at js/src/vm/JSObject.cpp:3076
#24 js::DefineFunctions (cx=cx@entry=0x7fd50b727000, obj=..., fs=0x563895870ca8 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions+40>, fs@entry=0x563895870c80 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions>, intrinsic=intrinsic@entry=js::NotIntrinsic) at js/src/vm/JSObject.cpp:3093
#25 0x00005638937f9df5 in JS_DefineFunctions (cx=0x7fd50b727000, obj=..., fs=fs@entry=0x563895870c80 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions>) at js/src/jsapi.cpp:3486
#26 0x000056389348371d in js::DefinePropertiesAndFunctions (cx=<optimized out>, obj=..., obj@entry=..., ps=ps@entry=0x563895870d60 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoAccessors>, fs=fs@entry=0x563895870c80 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)::protoFunctions>) at js/src/vm/GlobalObject.cpp:836
#27 0x0000563893381ccb in js::GlobalObject::initModuleProto (cx=<optimized out>, cx@entry=0x7fd50b727000, global=...) at js/src/builtin/ModuleObject.cpp:1174
#28 0x000056389349b610 in js::GlobalObject::createObject (cx=cx@entry=0x7fd50b727000, global=global@entry=..., slot=slot@entry=164, init=init@entry=0x563893381c40 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)>) at js/src/vm/GlobalObject.cpp:356
#29 0x0000563893395a8d in js::GlobalObject::getOrCreateObject (cx=cx@entry=0x7fd50b727000, global=..., slot=slot@entry=164, init=0x563893381c40 <js::GlobalObject::initModuleProto(JSContext*, JS::Handle<js::GlobalObject*>)>) at js/src/vm/GlobalObject.h:607
#30 0x000056389349be2e in js::GlobalObject::getOrCreateModulePrototype (global=..., cx=0x7fd50b727000) at js/src/vm/GlobalObject.h:557
#31 js::GlobalObject::ensureModulePrototypesCreated (cx=cx@entry=0x7fd50b727000, global=...) at js/src/vm/GlobalObject.cpp:1038
#32 0x00005638939dc076 in CreateModule<char16_t> (srcBuf=..., options=..., cx=0x7fd50b727000) at js/src/frontend/BytecodeCompiler.cpp:854
#33 js::frontend::CompileModule (cx=0x7fd50b727000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:876
#34 0x0000563893247566 in ParseModule (cx=<optimized out>, cx@entry=0x7fd50b727000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4805
#35 0x00005638932f879d in CallJSNative (cx=0x7fd50b727000, native=native@entry=0x563893247220 <ParseModule(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:458
#36 0x00005638932e912a in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7fd50b727000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:551
#37 0x00005638932e9697 in InternalCall (cx=0x7fd50b727000, args=..., reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:620
#38 0x00005638932dae6c in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:624
#39 Interpret (cx=0x7fd50b727000, state=...) at js/src/vm/Interpreter.cpp:3113
#40 0x00005638932e8946 in js::RunScript (cx=0x7fd50b727000, state=...) at js/src/vm/Interpreter.cpp:424
#41 0x00005638932e925f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7fd50b727000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:592
#42 0x00005638932e9697 in InternalCall (cx=cx@entry=0x7fd50b727000, args=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:620
#43 0x00005638932e9833 in js::Call (cx=cx@entry=0x7fd50b727000, fval=..., thisv=..., args=..., rval=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:637
#44 0x000056389339c3dd in js::Call (cx=0x7fd50b727000, fval=fval@entry=..., thisv=..., arg0=..., arg0@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.h:107
#45 0x000056389338baa1 in PromiseReactionJob (cx=<optimized out>, cx@entry=0x7fd50b727000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Promise.cpp:1703
#46 0x00005638932f879d in CallJSNative (cx=0x7fd50b727000, native=native@entry=0x56389338b360 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:458
#47 0x00005638932e912a in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7fd50b727000, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:551
#48 0x00005638932e9697 in InternalCall (cx=cx@entry=0x7fd50b727000, args=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:620
#49 0x00005638932e9833 in js::Call (cx=cx@entry=0x7fd50b727000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., reason=reason@entry=js::CallReason::Call) at js/src/vm/Interpreter.cpp:637
#50 0x00005638938105df in JS::Call (cx=0x7fd50b727000, thisv=..., thisv@entry=..., fval=fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2728
#51 0x00005638934cf0a0 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=<optimized out>) at js/src/jsapi.h:1635
#52 js::InternalJobQueue::runJobs (this=0x7fd50b741100, cx=<optimized out>) at js/src/vm/JSContext.cpp:1113
#53 0x000056389322b6e2 in Shell (envp=<optimized out>, op=0x7ffd1c7824f0, cx=<optimized out>) at js/src/shell/js.cpp:10857
#54 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11495
rax 0x5638959430e0 94801027674336
rbx 0x7fd50b72c300 140552996832000
rcx 0x56389483b868 94801009817704
rdx 0x0 0
rsi 0x7fd50c77d770 140553013942128
rdi 0x7fd50c77c540 140553013937472
rbp 0x7ffd1c780040 140725081079872
rsp 0x7ffd1c77fff0 140725081079792
r8 0x7fd50c77d770 140553013942128
r9 0x7fd50d876cc0 140553031740608
r10 0x58 88
r11 0x7fd50c4247a0 140553010431904
r12 0x100000 1048576
r13 0x40000 262144
r14 0x4 4
r15 0x4 4
rip 0x563893af6599 <js::Nursery::shrinkAllocableSpace(unsigned long)+569>
=> 0x563893af6599 <js::Nursery::shrinkAllocableSpace(unsigned long)+569>: movl $0x0,0x0
0x563893af65a4 <js::Nursery::shrinkAllocableSpace(unsigned long)+580>: ud2
This is probably a shell-only problem with gcparam.
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/31825d66ed83 user: Paul Bone date: Thu Mar 21 00:49:11 2019 +0000 summary: Bug 1531626 - (part 5) Introduce a GC_MIN_NURSERY_BYTES parameter r=jonco This iteration took 497.024 seconds to run.
|
Assignee | |
Comment 3•5 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
Paul, is bug 1531626 a likely regressor?
Yes. The minNurseryBytes parameter didn't exist before ;-)
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Flags: needinfo?(pbone)
Priority: -- → P1
|
|
Assignee | |
Comment 4•5 years ago
|
||
The nursery can't adjust its size immediately when gcparam is set. Instead it does it after the next collection. This test case crashes as follows:
The initial minimum and current nursery size is 256K.
The gcparam sets this to 1MB.
The test case triggers a last ditch GC, which asks the nursery to minimise itself.
The code crashes because it's asked to shink to 1MB when it is already 256K.
|
|
Assignee | |
Comment 5•5 years ago
|
||
I want to add this option to the gc() shell builtin to write a test case for
this bug.
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7ff066349ec6 Allow the shell to invoke a last-ditch GC r=jonco https://hg.mozilla.org/integration/autoland/rev/b1a494e70997 Don't grow nursery in a last-ditch GC r=jonco
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7ff066349ec6
https://hg.mozilla.org/mozilla-central/rev/b1a494e70997
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
||
Updated•5 years ago
|
status-firefox67:
--- → wontfix
status-firefox68:
--- → wontfix
status-firefox69:
--- → wontfix
status-firefox70:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite+
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•