Assertion failure: !hasBlackEntries(), at js/src/gc/Marking.cpp:2474
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | wontfix |
firefox70 | --- | fixed |
People
(Reporter: gkw, Assigned: sfink)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 1e64b8a0c546 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/weak-marking-varying.js
let g = newGlobal();
g.eval('enqueueMark("set-color-gray")');
g.eval('enqueueMark("yield")');
gcslice(100000);
g.eval("");
Backtrace:
#0 js::GCMarker::setMarkColorGray (this=0x7feb634276f8) at js/src/gc/Marking.cpp:2474
#1 0x00005639d5c2a94e in js::GCMarker::setMarkColor (this=<optimized out>, newColor=<optimized out>) at js/src/gc/Marking.cpp:2469
#2 js::gc::AutoSetMarkColor::AutoSetMarkColor (this=<optimized out>, marker=..., newColor=js::gc::MarkColor::Gray) at js/src/gc/GCMarker.h:475
#3 js::GCMarker::processMarkQueue (this=0x7feb634276f8) at js/src/gc/Marking.cpp:1508
#4 0x00005639d5c2c80e in js::gc::GCRuntime::markUntilBudgetExhausted (this=<optimized out>, sliceBudget=..., phase=js::gcstats::PhaseKind::SWEEP_MARK) at js/src/gc/GC.cpp:6162
/snip
For detailed crash information, see attachment.
Setting s-s as a start as this is a GC assert.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4ad75b878827
user: Steve Fink
date: Wed Jul 24 14:29:22 2019 -0700
summary: Backed out changeset 617df479fac1 (bug 1167452)
Steve, not sure if this is correct? Which is the actual regressor?
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Actual regressing patch is https://hg.mozilla.org/mozilla-central/rev/d5c768b50d69599582f6bff5376fa5acc300fa3e but the regression is correct; 617df479fac1 allowed marking black during gray marking, so backing that out broke this.
This is test-only.
Assignee | ||
Comment 4•5 years ago
|
||
Comment 5•5 years ago
|
||
Steve, it seems that this patch is r+, is there a reason not to land it yet? (which would remove it from our regression triage list weekly meeting ;) ) Thanks
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2909b0a1eb06 Postpone switching to gray as long as black is on the mark stack r=jonco
(In reply to Pascal Chevrel:pascalc from comment #5)
Steve, it seems that this patch is r+, is there a reason not to land it yet? (which would remove it from our regression triage list weekly meeting ;) )
Sorry, I should have left instructions. I've been on PTO for the last 8 days. I just landed it.
(Ugh, and it seems like I have my bugzilla accounts tangled up somehow.)
Assignee | ||
Updated•5 years ago
|
Comment 8•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Doesn't sound like we need to backport this given comment 3.
Description
•