1382434 - Assertion failure: result.unwrapErr() == AbortReason::Error, at js/src/jit/IonBuilder.cpp:3795 with OOM

Status: RESOLVED DUPLICATE of bug 1416794

(Core :: JavaScript Engine, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1b065ffd8a53 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off):

function f(arr) {}
function test(out)
  f(arr);
var obj = {};
try { test(obj); } catch (lfVare) {}
loadFile(`
function f() {
  this.e = function() {};
  expect.defineProperty(this, 
    test(() => Number.prototype.i.call(-Infinity, 555), i), {}
  );
}
new f();
`);
function loadFile(lfVarx) {
  try {
    oomTest(new Function(lfVarx));
  } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795
#0  0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795
#1  0x083090c4 in js::jit::IonBuilder::inlineSingleCall (this=0xffffa224, callInfo=..., targetArg=0xf5382c20) at js/src/jit/IonBuilder.cpp:4319
#2  0x0830a875 in js::jit::IonBuilder::inlineCallsite (this=0xffffa224, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4373
#3  0x0830abed in js::jit::IonBuilder::jsop_call (this=0xffffa224, argc=2, constructing=false, ignoresReturnValue=false) at js/src/jit/IonBuilder.cpp:5375
#4  0x083100f6 in js::jit::IonBuilder::inspectOpcode (this=0xffffa224, op=JSOP_CALL) at js/src/jit/IonBuilder.cpp:2041
#5  0x0831133c in js::jit::IonBuilder::visitBlock (this=0xffffa224, cfgblock=0xf798f29c, mblock=0xf79b82e0) at js/src/jit/IonBuilder.cpp:1539
#6  0x08306ff1 in js::jit::IonBuilder::traverseBytecode (this=0xffffa224) at js/src/jit/IonBuilder.cpp:1456
#7  0x08307c54 in js::jit::IonBuilder::build (this=0xffffa224) at js/src/jit/IonBuilder.cpp:846
#8  0x083159da in js::jit::AnalyzeNewScriptDefiniteProperties (cx=0xf791d000, fun=..., group=0xf536a538, baseobj=..., initializerList=0xffffa568) at js/src/jit/IonAnalysis.cpp:4230
#9  0x088655b2 in js::TypeNewScript::maybeAnalyze (this=0xf519cca0, cx=0xf791d000, group=0xf536a538, regenerate=0x0, force=true) at js/src/vm/TypeInference.cpp:3861
#10 0x08074410 in js::jit::IonCompile (cx=cx@entry=0xf791d000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2198
#11 0x0831a2cd in js::jit::Compile (cx=cx@entry=0xf791d000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=0x0, forceRecompile=false) at js/src/jit/Ion.cpp:2448
#12 0x0831a450 in js::jit::CanEnter (cx=0xf791d000, state=...) at js/src/jit/Ion.cpp:2545
#13 0x081731d7 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:386
#14 0x0817374d in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#15 0x081745ea in InternalConstruct (cx=0xf791d000, cx@entry=0xd7792b00, args=...) at js/src/vm/Interpreter.cpp:563
#16 0x081747d3 in js::ConstructFromStack (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:599
#17 0x0823b967 in js::jit::DoCallFallback (cx=0xf791d000, frame=0xf55ffc98, stub_=0xf79b6030, argc=0, vp=0xf55ffc50, res=...) at js/src/jit/BaselineIC.cpp:2530
#18 0x084fa1f5 in js::jit::Simulator::softwareInterrupt (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:2624
#19 0x084fa5c6 in js::jit::Simulator::decodeType7 (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:3784
#20 0x084fbd42 in js::jit::Simulator::instructionDecode (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:4761
#21 0x084fc294 in js::jit::Simulator::execute<false> (this=0xf7974000) at js/src/jit/arm/Simulator-arm.cpp:4831
#22 js::jit::Simulator::callInternal (this=0xf7974000, entry=0x3db3da38 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4916
#23 0x084fc611 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4999
#24 0x0821a0c2 in EnterBaseline (cx=cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
#25 0x082345dd in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200
#26 0x08173322 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:400
#27 0x081735f8 in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#28 0x081738af in InternalCall (cx=cx@entry=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:515
#29 0x08173a4a in js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534
#30 0x08566272 in JS_CallFunction (cx=0xf791d000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2907
#31 0x084835e9 in OOMTest (cx=0xf791d000, argc=1, vp=0xf55ffd88) at js/src/builtin/TestingFunctions.cpp:1549
[...]
#67 main (argc=5, argv=0xffffcdd4, envp=0xffffcdec) at js/src/shell/js.cpp:8515
eax	0x0	0
ebx	0xffffa224	-24028
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xffff9dbc	-25156
edi	0xffff99a4	-26204
ebp	0xffff9c38	4294941752
esp	0xffff9900	4294940928
eip	0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254>
=> 0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254>:	movl   $0x0,0x0
   0x8308f98 <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2264>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision f650c0df72f9).
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161208073857" and the hash "422dd1f29d6e8e8d05300e02849724e7d5d032f0".
The "bad" changeset has the timestamp "20170116071021" and the hash "da40eaad661d01bcc0622e103f71a8915820acb2".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=422dd1f29d6e8e8d05300e02849724e7d5d032f0&tochange=da40eaad661d01bcc0622e103f71a8915820acb2

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/261ebf2e8bbd
user:        Tom Schuster
date:        Wed Nov 15 16:19:37 2017 +0100
summary:     Bug 1319512 - Disable expression closures on Nightly. r=jandem

Tom/Jan, is bug 1319512 a likely fix?

Comment 3

[Tom S [:evilpie]]

I think the test case just broke, because we disabaled function expression. You can try if this still reproduces:

function f(arr) {}
function test(out) {
  f(arr);
}
var obj = {};
try { test(obj); } catch (lfVare) {}
loadFile(`
function f() {
  this.e = function() {};
  expect.defineProperty(this, 
    test(() => Number.prototype.i.call(-Infinity, 555), i), {}
  );
}
new f();
`);
function loadFile(lfVarx) {
  try {
    oomTest(new Function(lfVarx));
  } catch (lfVare) {}
}

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

With the testcase in comment 3,

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0eca45c6fb2d
user:        Nicolas B. Pierron
date:        Fri Dec 23 15:54:10 2016 +0000
summary:     Bug 1286505 part 2 - Use Result<V,E> to report errors within IonBuilder. r=h4writer

However, it no longer seems to reproduce on m-c tip rev 768eef11f5ff either, continuing to dig in...

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e6be8071c22b
user:        Nicolas B. Pierron
date:        Fri Nov 17 13:21:08 2017 +0000
summary:     Bug 1416794 - InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc. r=jandem

Nicolas, is bug 1416794 a likely fix?

Comment 6

[Nicolas B. Pierron [:nbp]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> Nicolas, is bug 1416794 a likely fix?

This sounds very likely.