734976 - JS OOM Testing: Assertion failure: cx->isExceptionPending() || cx->runtime->hadOutOfMemory, at methodjit/Compiler.cpp:1010

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 7441 -f js/src/jit-test/tests/basic/bug621022-2.js


Here's the full backtrace of the last failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x44c9b1) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x45dce5) (JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:411)
#2 js/src/debug64-trunk/js(+0x44f054) (js_NewGCObject(JSContext*, js::gc::AllocKind) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:462)
#3 js/src/debug64-trunk/js(+0x451bcd) (js::NewObjectCache::newObjectFromHit(JSContext*, int) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsobjinlines.h:1650)
#4 js/src/debug64-trunk/js(+0x461b94) (JSObject* js::NewArray<false>(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3772)
#5 js/src/debug64-trunk/js(+0x45d725) (js::NewDenseUnallocatedArray(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3841)
#6 js/src/debug64-trunk/js(+0x6d326e) (js::mjit::Compiler::jsop_newinit() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:6866)
#7 js/src/debug64-trunk/js(+0x6c06ac) (js::mjit::Compiler::generateMethod() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:2874)
#8 js/src/debug64-trunk/js(+0x6b4b76) (js::mjit::Compiler::performCompilation() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:550)
#9 js/src/debug64-trunk/js(+0x6b37ad) (js::mjit::Compiler::compile() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:150)
#10 js/src/debug64-trunk/js(+0x6b6b33) (js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:997)
#11 js/src/debug64-trunk/js(+0x5049ce) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:1777)
#12 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079)

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

JSObject::createDenseArray reports OOM on failure, but not JSObject::create or NewObjectFromCacheHit.  Make things consistent.

Comment 2

[Luke Wagner [:luke]]

Comment on attachment 613629 [details] [diff] [review]
patch

It is rather unfortunate that they take a 'cx' and don't throw.

Comment 3

[Brian Hackett [Laid off!]]

Actually, it looks like ArenaLists::refillFreeList does report on OOM, and that the problem is in the JS_OOM_POSSIBLY_FAIL in jsgcinlines.h.  Christian, can you change this so that it calls js_ReportOutOfMemory(cx) when the OOM trigger is hit?

Comment 4

[Christian Holler (:decoder)]

Attachment: Patch

Patch that introduces a second macro that also calls js_ReportOutOfMemory with the given context. Currently only used in jsgcinlines then.

Comment 5

[Christian Holler (:decoder)]

Trying out this new autoland feature now before asking Gary to land this for me :D

Comment 6

[Mozilla RelEng Bot]

Autoland Patchset:
	Patches: 613803
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=93bf36c6da64
Try run started, revision 93bf36c6da64. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64

Comment 7

[Mozilla RelEng Bot]

Try run for 93bf36c6da64 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64
Results (out of 15 total builds):
    exception: 8
    failure: 7
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-93bf36c6da64

Comment 8

[Christian Holler (:decoder)]

Attachment: Updated patch

Fixed patch, nothing to see here, move along (or: breaking builds - like a boss).

Comment 9

[Mozilla RelEng Bot]

Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.

Comment 10

[Mozilla RelEng Bot]

Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.

Comment 11

[Christian Holler (:decoder)]

Once more, now with fixed privileges :)

Comment 12

[Mozilla RelEng Bot]

Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=006f8487b8ac
Try run started, revision 006f8487b8ac. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac

Comment 13

[Mozilla RelEng Bot]

Try run for 006f8487b8ac is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac
Results (out of 15 total builds):
    success: 15
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-006f8487b8ac

Comment 14

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

http://hg.mozilla.org/integration/mozilla-inbound/rev/cc905c76d8d5

Comment 15

[:Ms2ger (he/him; ⌚ UTC+1/+2)]

https://hg.mozilla.org/mozilla-central/rev/cc905c76d8d5