Closed
Bug 1111253
Opened 10 years ago
Closed 10 years ago
Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
Tracking | Status | |
---|---|---|
firefox37 | --- | fixed |
People
(Reporter: gkw, Assigned: Waldo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,testComment=5,origRev=5288b15d22de])
Attachments
(2 files)
3.13 KB,
text/plain
|
Details | |
722 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
load("z.js"); gczeal(7, 1); // Randomly chosen test: js/src/jit-test/tests/gc/bug-957110.js gcparam("maxBytes", gcparam("gcBytes") + 1); // Randomly chosen test: js/src/tests/js1_7/geniter/regress-350621.js funcName = "x" if (!funcName.match(/z/)) { funcName += "()"; } for (var c = 0; c < 9; ++c) { for (d in (function() { for (var a = 0; a < 9; ++a) yield; })()) {} } // jsfunfuzz []; and z.js is: k = new Array; s = new Array function f2() function() function() Cap = function() { if (/x/) {} } function ode() {} function i() function() {} function pus() function ger() function() { /x/; /x/; /x/; /x/; /x/; /x/ } function unc() { /x/ } function Fnc(une) { /x/ } function cur() {} function igO() function rce() { ece(/x/, ""); /x/; /x/; /x/; /x/; /x/; /x/; /x/; /x/; /x/ try {} catch (x) {} } function optionsInit() { ues = {} ops = [] mes = options().split(",") } function ear() function oph() function() function ptt() {} optionsInit() function wlt() { if (och(/x/)) {} } asserts js debug shell on m-c changeset 5288b15d22de with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are: http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/gc/bug-957110.js http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/tests/js1_7/geniter/regress-350621.js During reduction, this also asserted js shells from FTP at: (though the final reduced testcase does not seem to) https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-12-11-mozilla-central-debug/jsshell-mac64.zip autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/95144f555ba4 user: Jeff Walden date: Tue Sep 23 13:03:40 2014 -0700 summary: Bug 1052139 - Implement the ability to prevent modifying an extensible object's [[Prototype]]. r=efaust, r=bholley Waldo, any idea what's going on here? (If it's an OOM bug, this bisection to bug 1052139 isn't likely to be correct)
Flags: needinfo?(jwalden+bmo)
![]() |
Reporter | |
Comment 1•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x1f5aee, 0x00000001005511f7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::ThrowStopIteration(cx=<unavailable>) + 247 at jsiter.cpp:820, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001005511f7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::ThrowStopIteration(cx=<unavailable>) + 247 at jsiter.cpp:820 frame #1: 0x00000001006518f9 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::GeneratorObject::finalSuspend(cx=0x0000000101b14ed0, obj=<unavailable>) + 201 at GeneratorObject.cpp:102 frame #2: 0x0000000100436ec6 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::jit::FinalSuspend(cx=0x0000000101b14ed0, frame=0x00007fff5fbfe028, pc=0x0000000101e22762, obj=<unavailable>) + 38 at VMFunctions.cpp:862 frame #3: 0x0000000101aedfd5 frame #4: 0x0000000101f10d7a (lldb)
Assignee | ||
Comment 2•10 years ago
|
||
It's an OOM issue unrelated to me. In my tree it minimizes to this: var bytes = gcparam("gcBytes"); gcparam("maxBytes", bytes); for (var c = 0; c < 9; ++c) { var gen = (function() { for (var a = 0; a < 6; ++a) yield; })(); for (d in gen) {} } My tree fails without this patch, passes with. This is the stack when the shell's OOM callback is called: Breakpoint 3, my_OOMCallback (cx=0x1d93560, data=0x0) at /home/jwalden/moz/slots/js/src/shell/js.cpp:4741 4741 if (!JS_IsRunning(cx)) (gdb) bt #0 my_OOMCallback (cx=0x1d93560, data=0x0) at /home/jwalden/moz/slots/js/src/shell/js.cpp:4741 #1 0x0000000000a96160 in js_ReportOutOfMemory (cxArg=0x1d93560) at /home/jwalden/moz/slots/js/src/jscntxt.cpp:368 #2 0x0000000000ba2db4 in js::gc::GCRuntime::refillFreeListFromMainThread<(js::AllowGC)1> (cx=0x1d93560, thingKind=js::gc::FINALIZE_JITCODE) at /home/jwalden/moz/slots/js/src/jsgc.cpp:3059 #3 0x0000000000ba2a9d in js::gc::GCRuntime::refillFreeListFromAnyThread<(js::AllowGC)1> (cx=0x1d93560, thingKind=js::gc::FINALIZE_JITCODE) at /home/jwalden/moz/slots/js/src/jsgc.cpp:3104 #4 0x000000000092f694 in js::gc::AllocateNonObject<js::jit::JitCode, (js::AllowGC)1> (cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jsgcinlines.h:625 #5 0x00000000008d8f65 in js::NewJitCode<(js::AllowGC)1> (cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jsgcinlines.h:696 #6 0x00000000008d8eda in js::jit::JitCode::New<(js::AllowGC)1> (cx=0x1d93560, code=0x7fffefe0e378 "", bufferSize=13160, headerSize=8, pool=0x1daada0, kind=js::jit::ION_CODE) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:702 #7 0x0000000000802b02 in js::jit::Linker::newCode<(js::AllowGC)1> (this=0x7fffffffc6c0, cx=0x1d93560, execAlloc=0x1e39c30, kind=js::jit::ION_CODE) at /home/jwalden/moz/slots/js/src/jit/Linker.h:57 #8 0x00000000007d8af3 in js::jit::Linker::newCodeForIonScript (this=0x7fffffffc6c0, cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jit/Linker.h:87 #9 0x0000000000784914 in js::jit::CodeGenerator::link (this=0x1e66350, cx=0x1d93560, constraints=0x1e16660) at /home/jwalden/moz/slots/js/src/jit/CodeGenerator.cpp:7504 #10 0x00000000008d6746 in js::jit::IonCompile (cx=0x1d93560, script=0x7ffff7e621a8, baselineFrame=0x7fffffffce90, osrPc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, constructing=false, executionMode=js::SequentialExecution, recompile=false, optimizationLevel=js::jit::Optimization_Normal) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2007 #11 0x00000000008491ba in js::jit::Compile (cx=0x1d93560, script=0x7ffff7e621a8, osrFrame=0x7fffffffce90, osrPc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, constructing=false, executionMode=js::SequentialExecution, forceRecompile=false) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2156 #12 0x0000000000848a4a in js::jit::CanEnterAtBranch (cx=0x1d93560, script=0x7ffff7e621a8, osrFrame=0x7fffffffce90, pc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2225 #13 0x00000000007a3cf8 in js::jit::EnsureCanEnterIon (cx=0x1d93560, stub=0x1e90ae0, frame=0x7fffffffce90, script=0x7ffff7e621a8, pc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, jitcodePtr=0x7fffffffcd98) at /home/jwalden/moz/slots/js/src/jit/BaselineIC.cpp:819 #14 0x00000000007313c4 in js::jit::DoWarmUpCounterFallback (cx=0x1d93560, stub=0x1e90ae0, frame=0x7fffffffce90, infoPtr=0x7fffffffce58) at /home/jwalden/moz/slots/js/src/jit/BaselineIC.cpp:990 Given IonCompile is the thing that is failing to distinguish a nullptr return as being a reason to disable, and as being an actual error, I think this is the right place to adjust things. But it's possible I'm mistaken about that, so feel free to complain if you think another place makes sense.
Attachment #8536876 -
Flags: review?(jdemooij)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(jwalden+bmo)
Updated•10 years ago
|
Attachment #8536876 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6a5567c6a8d5
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6a5567c6a8d5
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
![]() |
Reporter | |
Comment 5•10 years ago
|
||
var bytes = gcparam("gcBytes"); gcparam("maxBytes", bytes); for (var c = 0; c < 9; ++c) { var gen = (function() { for (var a = 0; a < 6; ++a) yield; })(); for (d in gen) {} } asserts js debug shell on m-c changeset 5288b15d22de with --no-threads --ion-eager at Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp. (I made the testcase in comment 2 into a standalone one, let's see if jsbugmon can do verification)
Whiteboard: [jsbugmon:update,testComment=5,origRev=5288b15d22de]
![]() |
Reporter | |
Updated•10 years ago
|
Flags: in-testsuite?
Assignee | ||
Comment 6•10 years ago
|
||
Looks like no. I'm not surprised. As a practical matter, I doubt this is testable.
You need to log in
before you can comment on or make changes to this bug.
Description
•