Closed Bug 925146 Opened 11 years ago Closed 10 years ago

Crash [@ js::types::TypeObjectKey::unknownProperties] with OOM

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(2 files)

Attached file Testcase for shell
The attached testcase crashes on mozilla-central revision 64b497e6f593 (run with --fuzzing-safe --ion-eager).
Please kill it with fire before it lays eggs. Thanks :)
Blocks: 912928
Flags: needinfo?(terrence)
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
On 64bit I'm getting the correct OOM exception and on 32bit it's completing successfully. I used the following configury:

CC="gcc -m64" CXX="g++ -m64" ./configure --enable-optimize --enable-debug --enable-debug-symbols --enable-valgrind --enable-gczeal --enable-more-deterministic --enable-methodjit --enable-type-inference --enable-profiling --without-intl-api --disable-tests

I don't know enough about this code to infer what might be going on from the stack alone. Forwarding to Brian, who may have a better idea.
Flags: needinfo?(terrence) → needinfo?(bhackett1024)
I don't see a stack here.
Flags: needinfo?(bhackett1024)
Perhaps the stack in comment 1 doesn't suffice, gdb stack needed?
Flags: needinfo?(choller)
Yeah, it would be good to get a full gdb stack with a specified revision, especially when hitting a crash rather than an assertion failure.  There are currently some MOZ_CRASH()'es which will be triggered by OOM in functions around here, which will largely go away when bug 924611 lands.
Stack:

Program received signal SIGSEGV, Segmentation fault.
0x082e9df6 in js::types::TypeObjectKey::unknownProperties (this=<optimized out>) at js/src/jsinfer.cpp:687
687             MOZ_CRASH();
(gdb) bt
#0  0x082e9df6 in js::types::TypeObjectKey::unknownProperties (this=<optimized out>) at js/src/jsinfer.cpp:687
#1  0x082e1272 in js::types::TypeObjectKey::unknownProperties (this=0xf7932421) at js/src/jsinfer.cpp:686
#2  0x084aad10 in getSingletonPrototype (target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4610
#3  js::jit::IonBuilder::createThisScriptedSingleton (this=0x936c8b0, target=0xf7932420, callee=0x936d368) at js/src/jit/IonBuilder.cpp:4623
#4  0x084abbdd in createThis (callee=0x936d368, target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4675
#5  js::jit::IonBuilder::makeCallHelper (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5129
#6  0x084b0317 in js::jit::IonBuilder::makeCall (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5203
#7  0x084cbcbb in js::jit::IonBuilder::jsop_call (this=0x936c8b0, argc=4, constructing=true) at js/src/jit/IonBuilder.cpp:4955
#8  0x084cd748 in js::jit::IonBuilder::inspectOpcode (this=0x936c8b0, op=JSOP_NEW) at js/src/jit/IonBuilder.cpp:1471
#9  0x084c503f in js::jit::IonBuilder::traverseBytecode (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:1165
#10 0x084ce05e in js::jit::IonBuilder::build (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:605
#11 0x0848be32 in IonCompile (executionMode=js::SequentialExecution, constructing=2, osrPc=0x0, baselineFrame=0x0, script=0xf792cf80, cx=0x9350c88) at js/src/jit/Ion.cpp:1612


And here's a stack for the out of memory, maybe that helps even more:

Breakpoint 1, js_ReportOutOfMemory (cxArg=0x9350c88) at js/src/jscntxt.cpp:351
351     {
(gdb) bt
#0  js_ReportOutOfMemory (cxArg=0x9350c88) at js/src/jscntxt.cpp:351
#1  0x082d41aa in js::gc::ArenaLists::refillFreeList<(js::AllowGC)1> (cx=0x9350c88, thingKind=js::gc::FINALIZE_SCRIPT) at js/src/jsgc.cpp:1568
#2  0x0836f710 in NewGCThing<JSScript, (js::AllowGC)1> (cx=0x9350c88, kind=<optimized out>, thingSize=<optimized out>, heap=<optimized out>) at ../jsgcinlines.h:450
#3  js_NewGCScript (cx=0x9350c88) at ../jsgcinlines.h:501
#4  JSScript::Create (cx=0x9350c88, enclosingScope=..., savedCallerFun=false, options=..., staticLevel=1, sourceObject=..., bufStart=69, bufEnd=84) at js/src/jsscript.cpp:1678
#5  0x086d23df in js::frontend::CompileLazyFunction (cx=0x9350c88, lazy=0xf7938070, chars=0x937498a, length=15) at js/src/frontend/BytecodeCompiler.cpp:447
#6  0x082ae07a in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x9350c88, fun=...) at js/src/jsfun.cpp:1178
#7  0x082e109d in getOrCreateScript (cx=0x9350c88, this=<optimized out>) at ../jsfun.h:271
#8  JSObject::makeLazyType (cx=0x9350c88, obj=...) at js/src/jsinfer.cpp:3348
#9  0x0826ef9b in JSObject::getType (this=0xf7932420, cx=0x9350c88) at ../jsobjinlines.h:356
#10 0x082e1244 in js::types::TypeObjectKey::unknownProperties (this=0xf7932421) at js/src/jsinfer.cpp:685
#11 0x084aad10 in getSingletonPrototype (target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4610
#12 js::jit::IonBuilder::createThisScriptedSingleton (this=0x936c8b0, target=0xf7932420, callee=0x936d368) at js/src/jit/IonBuilder.cpp:4623
#13 0x084abbdd in createThis (callee=0x936d368, target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4675
#14 js::jit::IonBuilder::makeCallHelper (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5129
#15 0x084b0317 in js::jit::IonBuilder::makeCall (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5203
#16 0x084cbcbb in js::jit::IonBuilder::jsop_call (this=0x936c8b0, argc=4, constructing=true) at js/src/jit/IonBuilder.cpp:4955
#17 0x084cd748 in js::jit::IonBuilder::inspectOpcode (this=0x936c8b0, op=JSOP_NEW) at js/src/jit/IonBuilder.cpp:1471
#18 0x084c503f in js::jit::IonBuilder::traverseBytecode (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:1165
#19 0x084ce05e in js::jit::IonBuilder::build (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:605
#20 0x0848be32 in IonCompile (executionMode=js::SequentialExecution, constructing=2, osrPc=0x0, baselineFrame=0x0, script=0xf792cf80, cx=0x9350c88) at js/src/jit/Ion.cpp:1612
Flags: needinfo?(choller)
Needinfo from Brian for the stacks in the previous comment :)
Flags: needinfo?(bhackett1024)
Yeah that's one of the MOZ_CRASH'es referenced in comment 7.
Depends on: 924611
Flags: needinfo?(bhackett1024)
Bug 924611 has landed. Does this still reproduce?
Flags: needinfo?(choller)
I haven't seen this in the OOM fuzzer anymore, so I assume it's fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: