Closed
Bug 1317329
Opened 8 years ago
Closed 6 years ago
Assertion failure: mir->resumePoint(), at js/src/jit/shared/CodeGenerator-shared.cpp:1353 with OOM
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1286505
Tracking | Status | |
---|---|---|
firefox52 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision 1196bf3032e1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): loadFile(` function ExprArray(n,v) { for ( i = 0; i < n; i++) this[i] = v; } function perfect(n) new ExprArray(n); perfect(500); `); function loadFile(lfVarx) { oomTest(function() eval(lfVarx)) } Backtrace: received signal SIGSEGV, Segmentation fault. js::jit::CodeGeneratorShared::callVM (this=this@entry=0x7fffefd0c000, fun=..., ins=ins@entry=0x7fffefd1af10, dynStack=dynStack@entry=0x0) at js/src/jit/shared/CodeGenerator-shared.cpp:1353 #0 js::jit::CodeGeneratorShared::callVM (this=this@entry=0x7fffefd0c000, fun=..., ins=ins@entry=0x7fffefd1af10, dynStack=dynStack@entry=0x0) at js/src/jit/shared/CodeGenerator-shared.cpp:1353 #1 0x00000000005f67b2 in js::jit::CodeGenerator::visitOutOfLineStoreElementHole (this=0x7fffefd0c000, ool=<optimized out>) at js/src/jit/CodeGenerator.cpp:8496 #2 0x0000000000823772 in js::jit::CodeGeneratorShared::generateOutOfLineCode (this=this@entry=0x7fffefd0c000) at js/src/jit/shared/CodeGenerator-shared.cpp:183 #3 0x00000000008c4c38 in js::jit::CodeGeneratorX86Shared::generateOutOfLineCode (this=this@entry=0x7fffefd0c000) at js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:478 #4 0x000000000060847c in js::jit::CodeGenerator::generate (this=this@entry=0x7fffefd0c000) at js/src/jit/CodeGenerator.cpp:9390 #5 0x0000000000646d9a in js::jit::GenerateCode (mir=mir@entry=0x7fffefd10278, lir=0x7fffefd18750) at js/src/jit/Ion.cpp:2008 #6 0x00000000006b6ff6 in js::jit::CompileBackEnd (mir=mir@entry=0x7fffefd10278) at js/src/jit/Ion.cpp:2030 #7 0x00000000006b7afb in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffa828, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2304 #8 0x00000000006b8222 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffa828, osrPc=osrPc@entry=0x7ffff030a168 "\343\201;", forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2486 #9 0x00000000006b8ca0 in BaselineCanEnterAtBranch (pc=0x7ffff030a168 "\343\201;", osrFrame=0x7fffffffa828, script=..., cx=<optimized out>) at js/src/jit/Ion.cpp:2677 #10 js::jit::IonCompileScriptForBaseline (cx=0x7ffff695f000, frame=frame@entry=0x7fffffffa828, pc=pc@entry=0x7ffff030a168 "\343\201;") at js/src/jit/Ion.cpp:2735 #11 0x0000000000ec33d2 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff695f000, frame=0x7fffffffa828, stub=0x7fffefd0b2f8, infoPtr=0x7fffffffa7f8) at js/src/jit/BaselineIC.cpp:143 #12 0x00007ffff7e3db24 in ?? () [...] #22 0x0000000000000000 in ?? () rax 0x20187c0 33654720 rbx 0x11e5350 18764624 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffa0d0 140737488330960 rsp 0x7fffffff9f30 140737488330544 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffefd154e8 140737216861416 r13 0x7fffefd24464 140737216922724 r14 0x7fffefd1af90 140737216884624 r15 0x201a6a0 33662624 rip 0x82a68f <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3055> => 0x82a68f <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3055>: movl $0x0,0x0 0x82a69a <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3066>: ud2
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) This iteration took 0.288 seconds to run.
Comment 2•7 years ago
|
||
Nicolas, what's the status here?
Comment 3•7 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #2) > Nicolas, what's the status here? This is in my TODO list, and I would not able to get to it in the up coming month because of other priorities.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 4•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision aa3e49299a3a).
Comment 5•7 years ago
|
||
Too late for firefox 52, mass-wontfix.
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Iain, this seems oom/oomTest-related, do you mind taking a look?
Flags: needinfo?(iireland)
Comment 7•6 years ago
|
||
This was fixed as part of bug 1286505. Prior to that patch, we had this code in IonBuilder::jsop_setelem: if (!setElemTryDense(&emitted, object, index, value, writeHole) || emitted) return emitted; It was possible for setElemTryDense to set the emitted flag and then fail on a subsequent allocation: in this case, the allocation for the resume point. If that happened, we would inadvertently swallow the exception and continue with a null resume point. Eventually we would assert. After patch 2 in bug 1286505, we have this, which avoids the bug: MOZ_TRY(setElemTryDense(&emitted, object, index, value, writeHole)); if (emitted) return Ok(); Closing as duplicate of 1286505.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(iireland)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•