Closed Bug 1111253 Opened 10 years ago Closed 10 years ago

Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- fixed

People

(Reporter: gkw, Assigned: Waldo)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,testComment=5,origRev=5288b15d22de])

Attachments

(2 files)

stack
3.13 KB, text/plain
Details
Handle thrown exceptions when linking JIT code as an error, not as disabling Ion
722 bytes, patch
jandem
: review+
Details | Diff | Splinter Review 
load("z.js");
gczeal(7, 1);
// Randomly chosen test: js/src/jit-test/tests/gc/bug-957110.js
gcparam("maxBytes", gcparam("gcBytes") + 1);
// Randomly chosen test: js/src/tests/js1_7/geniter/regress-350621.js
funcName = "x"
if (!funcName.match(/z/)) {
    funcName += "()";
}
for (var c = 0; c < 9; ++c) {
    for (d in (function() {
        for (var a = 0; a < 9; ++a)
            yield;
    })()) {}
}
// jsfunfuzz
[];


and z.js is:


k = new Array;
s = new Array
function f2()
function()
function() Cap = function() {
    if (/x/) {}
}
function ode() {}
function i()
function() {}
function pus()
function ger()
function() {
    /x/;
    /x/;
    /x/;
    /x/;
    /x/;
    /x/
}
function unc() {
    /x/
}
function Fnc(une) {
    /x/
}
function cur() {}
function igO()
function rce() {
    ece(/x/, "");
    /x/;
    /x/;
    /x/;
    /x/;
    /x/;
    /x/;
    /x/;
    /x/;
    /x/
    try {} catch (x) {}
}
function optionsInit() {
    ues = {}
    ops = []
    mes = options().split(",")
}
function ear()
function oph()
function()
function ptt() {}
optionsInit()
function wlt() {
    if (och(/x/)) {}
}


asserts js debug shell on m-c changeset 5288b15d22de with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random js tests together with jsfunfuzz, the specific file(s) is/are:

http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/jit-test/tests/gc/bug-957110.js
http://hg.mozilla.org/mozilla-central/file/5288b15d22de/js/src/tests/js1_7/geniter/regress-350621.js

During reduction, this also asserted js shells from FTP at: (though the final reduced testcase does not seem to)

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-12-11-mozilla-central-debug/jsshell-mac64.zip

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/95144f555ba4
user:        Jeff Walden
date:        Tue Sep 23 13:03:40 2014 -0700
summary:     Bug 1052139 - Implement the ability to prevent modifying an extensible object's [[Prototype]].  r=efaust, r=bholley

Waldo, any idea what's going on here? (If it's an OOM bug, this bisection to bug 1052139 isn't likely to be correct)
Flags: needinfo?(jwalden+bmo)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x1f5aee, 0x00000001005511f7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::ThrowStopIteration(cx=<unavailable>) + 247 at jsiter.cpp:820, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001005511f7 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::ThrowStopIteration(cx=<unavailable>) + 247 at jsiter.cpp:820
    frame #1: 0x00000001006518f9 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::GeneratorObject::finalSuspend(cx=0x0000000101b14ed0, obj=<unavailable>) + 201 at GeneratorObject.cpp:102
    frame #2: 0x0000000100436ec6 js-dbg-opt-64-dm-nsprBuild-darwin-5288b15d22de`js::jit::FinalSuspend(cx=0x0000000101b14ed0, frame=0x00007fff5fbfe028, pc=0x0000000101e22762, obj=<unavailable>) + 38 at VMFunctions.cpp:862
    frame #3: 0x0000000101aedfd5
    frame #4: 0x0000000101f10d7a
(lldb)
It's an OOM issue unrelated to me.  In my tree it minimizes to this:

var bytes = gcparam("gcBytes");
gcparam("maxBytes", bytes);

for (var c = 0; c < 9; ++c) {
    var gen = (function() {
        for (var a = 0; a < 6; ++a)
            yield;
    })();

    for (d in gen) {}
}

My tree fails without this patch, passes with.  This is the stack when the shell's OOM callback is called:

Breakpoint 3, my_OOMCallback (cx=0x1d93560, data=0x0) at /home/jwalden/moz/slots/js/src/shell/js.cpp:4741
4741	    if (!JS_IsRunning(cx))
(gdb) bt
#0  my_OOMCallback (cx=0x1d93560, data=0x0) at /home/jwalden/moz/slots/js/src/shell/js.cpp:4741
#1  0x0000000000a96160 in js_ReportOutOfMemory (cxArg=0x1d93560) at /home/jwalden/moz/slots/js/src/jscntxt.cpp:368
#2  0x0000000000ba2db4 in js::gc::GCRuntime::refillFreeListFromMainThread<(js::AllowGC)1> (cx=0x1d93560, thingKind=js::gc::FINALIZE_JITCODE)
    at /home/jwalden/moz/slots/js/src/jsgc.cpp:3059
#3  0x0000000000ba2a9d in js::gc::GCRuntime::refillFreeListFromAnyThread<(js::AllowGC)1> (cx=0x1d93560, thingKind=js::gc::FINALIZE_JITCODE)
    at /home/jwalden/moz/slots/js/src/jsgc.cpp:3104
#4  0x000000000092f694 in js::gc::AllocateNonObject<js::jit::JitCode, (js::AllowGC)1> (cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jsgcinlines.h:625
#5  0x00000000008d8f65 in js::NewJitCode<(js::AllowGC)1> (cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jsgcinlines.h:696
#6  0x00000000008d8eda in js::jit::JitCode::New<(js::AllowGC)1> (cx=0x1d93560, code=0x7fffefe0e378 "", bufferSize=13160, headerSize=8, pool=0x1daada0, 
    kind=js::jit::ION_CODE) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:702
#7  0x0000000000802b02 in js::jit::Linker::newCode<(js::AllowGC)1> (this=0x7fffffffc6c0, cx=0x1d93560, execAlloc=0x1e39c30, kind=js::jit::ION_CODE)
    at /home/jwalden/moz/slots/js/src/jit/Linker.h:57
#8  0x00000000007d8af3 in js::jit::Linker::newCodeForIonScript (this=0x7fffffffc6c0, cx=0x1d93560) at /home/jwalden/moz/slots/js/src/jit/Linker.h:87
#9  0x0000000000784914 in js::jit::CodeGenerator::link (this=0x1e66350, cx=0x1d93560, constraints=0x1e16660)
    at /home/jwalden/moz/slots/js/src/jit/CodeGenerator.cpp:7504
#10 0x00000000008d6746 in js::jit::IonCompile (cx=0x1d93560, script=0x7ffff7e621a8, baselineFrame=0x7fffffffce90, 
    osrPc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, constructing=false, executionMode=js::SequentialExecution, 
    recompile=false, optimizationLevel=js::jit::Optimization_Normal) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2007
#11 0x00000000008491ba in js::jit::Compile (cx=0x1d93560, script=0x7ffff7e621a8, osrFrame=0x7fffffffce90, 
    osrPc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, constructing=false, executionMode=js::SequentialExecution, 
    forceRecompile=false) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2156
#12 0x0000000000848a4a in js::jit::CanEnterAtBranch (cx=0x1d93560, script=0x7ffff7e621a8, osrFrame=0x7fffffffce90, 
    pc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>) at /home/jwalden/moz/slots/js/src/jit/Ion.cpp:2225
#13 0x00000000007a3cf8 in js::jit::EnsureCanEnterIon (cx=0x1d93560, stub=0x1e90ae0, frame=0x7fffffffce90, script=0x7ffff7e621a8, 
    pc=0x1e88295 "\343\202QLM\a\377\377\377\356Q", <incomplete sequence \326>, jitcodePtr=0x7fffffffcd98)
    at /home/jwalden/moz/slots/js/src/jit/BaselineIC.cpp:819
#14 0x00000000007313c4 in js::jit::DoWarmUpCounterFallback (cx=0x1d93560, stub=0x1e90ae0, frame=0x7fffffffce90, infoPtr=0x7fffffffce58)
    at /home/jwalden/moz/slots/js/src/jit/BaselineIC.cpp:990

Given IonCompile is the thing that is failing to distinguish a nullptr return as being a reason to disable, and as being an actual error, I think this is the right place to adjust things.  But it's possible I'm mistaken about that, so feel free to complain if you think another place makes sense.
Attachment #8536876 - Flags: review?(jdemooij)
Assignee: nobody → jwalden+bmo
Status: NEW → ASSIGNED
Flags: needinfo?(jwalden+bmo)
Attachment #8536876 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/6a5567c6a8d5
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
var bytes = gcparam("gcBytes");
gcparam("maxBytes", bytes);

for (var c = 0; c < 9; ++c) {
    var gen = (function() {
        for (var a = 0; a < 6; ++a)
            yield;
    })();

    for (d in gen) {}
}

asserts js debug shell on m-c changeset 5288b15d22de with --no-threads --ion-eager at Assertion failure: !JS_IsExceptionPending(cx), at jsiter.cpp.

(I made the testcase in comment 2 into a standalone one, let's see if jsbugmon can do verification)
Whiteboard: [jsbugmon:update,testComment=5,origRev=5288b15d22de]
Looks like no.  I'm not surprised.  As a practical matter, I doubt this is testable.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: