Closed Bug 905654 Opened 11 years ago Closed 11 years ago

GC: Assertion failure running GGC shell on linux 32 bit build

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26

People

(Reporter: jonco, Assigned: jonco)

References

Details

Attachments

(1 file)

bump-assertion
(deleted), patch
terrence
: review+
Details | Diff | Splinter Review
$ /srv/repos/mozilla-central/js/src/debug32/js -f nonexistant can't open nonexistant: No such file or directory Assertion failure: mark <= bump, at ../ds/LifoAlloc.h:112 Program received signal SIGSEGV, Segmentation fault. 0x081b8a05 in release (mark=0x938e018, this=0x938df80) at ../ds/LifoAlloc.h:112 112 JS_ASSERT(mark <= bump); (gdb) bt #0 0x081b8a05 in release (mark=0x938e018, this=0x938df80) at ../ds/LifoAlloc.h:112 #1 release (mark=..., this=0xf7aa5b08) at ../ds/LifoAlloc.h:331 #2 js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::CellPtrEdge>::compactRemoveDuplicates (this=0xf7aa5b00) at /srv/repos/mozilla-central/js/src/gc/StoreBuffer.cpp:97 #3 0x081b734e in js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::CellPtrEdge>::mark (this=0xf7aa5b00, trc=0xffffce28) at /srv/repos/mozilla-central/js/src/gc/StoreBuffer.cpp:115 #4 0x081b7c64 in js::gc::StoreBuffer::mark (this=0xf7aa5ad8, trc=0xffffce28) at /srv/repos/mozilla-central/js/src/gc/StoreBuffer.cpp:295 #5 0x0870ad5d in js::Nursery::collect (this=0xf7a65a78, rt=0xf7a65008, reason=JS::gcreason::EVICT_NURSERY) at /srv/repos/mozilla-central/js/src/gc/Nursery.cpp:565 #6 0x082dd1b1 in js::MinorGC (rt=0xf7a65008, reason=JS::gcreason::EVICT_NURSERY) at /srv/repos/mozilla-central/js/src/jsgc.cpp:4695 #7 0x08296c5c in JSCompartment::clearTraps (this=0x9323500, fop=0xf7aa5e54) at /srv/repos/mozilla-central/js/src/jscompartment.cpp:837 #8 0x08291aa7 in js::DestroyContext (cx=0x9329c98, mode=js::DCM_FORCE_GC) at /srv/repos/mozilla-central/js/src/jscntxt.cpp:270 #9 0x082455bc in JS_DestroyContext (cx=0x9329c98) at /srv/repos/mozilla-central/js/src/jsapi.cpp:873 #10 0x08055cfd in DestroyContext (cx=0x9329c98, withGC=true) at /srv/repos/mozilla-central/js/src/shell/js.cpp:4877 #11 0x080518cd in main (argc=3, argv=0xffffd174, envp=0xffffd184) at /srv/repos/mozilla-central/js/src/shell/js.cpp:5490 (gdb)
Attached patch bump-assertion (deleted) — Splinter Review
Looks like this is because LifoAlloc::Enum::popFront() doesn't behave the same as LifoAloc::alloc() - it aligns the current pointer, adds the size requested, and then aligns the pointer again. This last step is not performed when allocating, and causes the Enum's pointer to get ahead of the LifoAlloc's pointer in this case, causing the assert.
Attachment #791320 - Flags: review?(terrence)
Comment on attachment 791320 [details] [diff] [review] bump-assertion Review of attachment 791320 [details] [diff] [review]: ----------------------------------------------------------------- This is the same as bug 902227. I like this solution better though.
Attachment #791320 - Flags: review?(terrence) → review+
Pushing on Jon's behalf, since this is blocking fuzzing. https://hg.mozilla.org/integration/mozilla-inbound/rev/6b466b03f5c0
Blocks: ggcfuzz
https://hg.mozilla.org/mozilla-central/rev/6b466b03f5c0
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: