Closed
Bug 1188347
Opened 9 years ago
Closed 9 years ago
Assertion failure: !hasUncompiledScript(), at js/src/shell/../jsfun.h:377 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: till)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Attachments
(1 file)
3.85 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks): function oomTest(f) { var i = 1; do { try { oomAtAllocation(i); f(); } catch (e) {} more = resetOOMFailure(); } while(more); } oomTest(__defineGetter__); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #0 0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #1 0x0000000000493c80 in nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #2 JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/shell/../jsfun.h:340 #3 0x00000000006bc14a in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:723 #4 0x00000000006ae262 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2972 #5 0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:661 #6 0x00000000006c6836 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902 #7 0x00000000006c8b23 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:936 #8 0x0000000000ac6e26 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4334 #9 0x0000000000ac6f9b in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4365 #10 0x00000000004284fd in RunFile (compileOnly=false, file=0x7ffff6998c00, filename=0x7fffffffe09d "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:458 #11 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe09d "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576 #12 0x0000000000477718 in ProcessArgs (op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:5771 #13 Shell (envp=<optimized out>, op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:6040 #14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6384 rax 0x0 0 rbx 0x7ffff693c000 140737330266112 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffcc70 140737488342128 rsp 0x7fffffffcc70 140737488342128 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffca30 140737488341552 r11 0x7ffff6c27960 140737333328224 r12 0x0 0 r13 0x1 1 r14 0x7ffff6907000 140737330049024 r15 0x0 0 rip 0x427298 <JSFunction::nonLazyScript() const+28> => 0x427298 <JSFunction::nonLazyScript() const+28>: movl $0x179,0x0 0x4272a3 <JSFunction::nonLazyScript() const+39>: callq 0x498fe0 <abort()>
Reporter | ||
Comment 1•9 years ago
|
||
Fixing this is required to file more OOM bugs that reduce down to this one. Marking fuzzblocker and asking Hannes for directions.
Flags: needinfo?(hv1989)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Comment 2•9 years ago
|
||
I haven't been able to digg into it fully. But it seems related to selfhosting, I think. The function is a function where we mark it as SELF_HOSTED. But we never add the script to it. Could it be it failed compiling? But we don't catch it? Could you take a look till?
Flags: needinfo?(hv1989) → needinfo?(till)
Assignee | ||
Comment 3•9 years ago
|
||
Investigating. The following reproduces without any special command line args: oomAtAllocation(1); try { __defineGetter__(); } catch (e) {} __defineGetter__();
Assignee | ||
Comment 4•9 years ago
|
||
There were a few issues with properly resetting state on OOM during script cloning. This patch fixes those and cleans up some assertions.
Attachment #8664209 -
Flags: review?(jdemooij)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → till
Status: NEW → ASSIGNED
Comment 5•9 years ago
|
||
Comment on attachment 8664209 [details] [diff] [review] Properly handle OOM during script cloning Review of attachment 8664209 [details] [diff] [review]: ----------------------------------------------------------------- Good find. ::: js/src/jit-test/tests/SIMD/unbox.js @@ +1,1 @@ > + Nit: revert the changes to this test.
Attachment #8664209 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9020444fc6ea1ae4b0e04ac87107e588d11da639 Bug 1188347 - Properly handle OOM during script cloning. r=jandem
Assignee | ||
Comment 7•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ea11bf35e6005225cfdceffc1b7438bc2ee616d8 Bug 1188347 - Part 2: Fix bustage. r=jandem
Assignee | ||
Comment 8•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/753791138b8eedaf90abf046a2b138e0aa37a386 Bug 1188347 - Part 3: Only run test relying on debug builds in debug builds. r=bustage
Assignee | ||
Comment 9•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a7d755389226c95e9e53fabda254ba6586ee5dc Bug 1188347 - Part 4: Root LazyScript* in CloneScriptIntoFunction. r=bustage
https://hg.mozilla.org/mozilla-central/rev/9020444fc6ea https://hg.mozilla.org/mozilla-central/rev/ea11bf35e600 https://hg.mozilla.org/mozilla-central/rev/753791138b8e
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Missed the fourth part, which left hazard builds busted. Got it now: https://hg.mozilla.org/mozilla-central/rev/f1dffc8682fb
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(till)
You need to log in
before you can comment on or make changes to this bug.
Description
•