Closed Bug 1109328 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::BaselineCompiler::emitBody] or [@ js::jit::Assembler::toggledCall] or [jsdbg2] Fix an OOM handling case during debug mode OSR

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: shu, Assigned: shu)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,testComment=2])

Crash Data

Attachments

(2 files)

Fix an OOM case when compiling debug instrumentation in Baseline.
1.94 KB, patch
jandem
: review+
Details | Diff | Splinter Review
stack
7.63 KB, text/plain
Details 
When doing debug mode OSR, going OOM when trying to get the debug trap handler in BaselineCompiler is incorrectly ignored.
I would like a test for this, but I can't reduce the fuzz test or come up with
one that goes OOM at precisely the right point.

Also fixes a bug in Debugger where we the frame map isn't correctly synced if
ensureObservability failed.
Attachment #8534009 - Flags: review?(jdemooij)
Attached file stack 
try {
    gcslice(0)(""());
} catch (e) {}
g = newGlobal()
g.parent = this
g.eval("Debugger(parent).onExceptionUnwind=(function(){})");
gcparam("maxBytes", gcparam("gcBytes"));
$

crashes js debug shell on m-i rev 96b86345fe30 with --fuzzing-safe --no-threads --ion-eager at js::jit::Assembler::toggledCall

(Shu-yu gave me access to the testcase, I merely helped to reduce, so credit goes to Langfuzz)

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-inbound/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Assignee: nobody → shu
Severity: normal → critical
Status: NEW → ASSIGNED
status-firefox37: --- → affected
Keywords: crash, regression, testcase
Whiteboard: [jsbugmon:update,testComment=2]
Version: unspecified → Trunk
Crash Signature: [@ js::jit::Assembler::toggledCall]
Summary: [jsdbg2] Fix an OOM handling case during debug mode OSR → Crash [@ [@ js::jit::Assembler::toggledCall]] or [jsdbg2] Fix an OOM handling case during debug mode OSR
Crash Signature: [@ js::jit::Assembler::toggledCall] → [@ js::jit::Assembler::toggledCall] [@ js::jit::BaselineCompiler::emitBody]
Summary: Crash [@ [@ js::jit::Assembler::toggledCall]] or [jsdbg2] Fix an OOM handling case during debug mode OSR → Crash [@ js::jit::BaselineCompiler::emitBody] or [@ js::jit::Assembler::toggledCall] or [jsdbg2] Fix an OOM handling case during debug mode OSR
Attachment #8534009 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/049230caef34
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Blocks: 1114757
Fixed for Fx36 by the roll-up in bug 1114757.
status-firefox36: --- → fixed
status-firefox37: affectedfixed
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.