Closed Bug 1188347 Opened 9 years ago Closed 9 years ago

Assertion failure: !hasUncompiledScript(), at js/src/shell/../jsfun.h:377 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: till)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

Properly handle OOM during script cloning
3.85 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks):

function oomTest(f) {
    var i = 1;
    do {
        try {
            oomAtAllocation(i);
            f();
        } catch (e) {}
        more = resetOOMFailure();
    } while(more);
}
oomTest(__defineGetter__);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377
#0  0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377
#1  0x0000000000493c80 in nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377
#2  JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/shell/../jsfun.h:340
#3  0x00000000006bc14a in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:723
#4  0x00000000006ae262 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2972
#5  0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:661
#6  0x00000000006c6836 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902
#7  0x00000000006c8b23 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:936
#8  0x0000000000ac6e26 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4334
#9  0x0000000000ac6f9b in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4365
#10 0x00000000004284fd in RunFile (compileOnly=false, file=0x7ffff6998c00, filename=0x7fffffffe09d "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:458
#11 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe09d "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576
#12 0x0000000000477718 in ProcessArgs (op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:5771
#13 Shell (envp=<optimized out>, op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:6040
#14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6384
rax	0x0	0
rbx	0x7ffff693c000	140737330266112
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffcc70	140737488342128
rsp	0x7fffffffcc70	140737488342128
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffca30	140737488341552
r11	0x7ffff6c27960	140737333328224
r12	0x0	0
r13	0x1	1
r14	0x7ffff6907000	140737330049024
r15	0x0	0
rip	0x427298 <JSFunction::nonLazyScript() const+28>
=> 0x427298 <JSFunction::nonLazyScript() const+28>:	movl   $0x179,0x0
   0x4272a3 <JSFunction::nonLazyScript() const+39>:	callq  0x498fe0 <abort()>
Fixing this is required to file more OOM bugs that reduce down to this one. Marking fuzzblocker and asking Hannes for directions.
Flags: needinfo?(hv1989)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
I haven't been able to digg into it fully. But it seems related to selfhosting, I think.
The function is a function where we mark it as SELF_HOSTED. But we never add the script to it.
Could it be it failed compiling? But we don't catch it?
Could you take a look till?
Flags: needinfo?(hv1989) → needinfo?(till)
Investigating. The following reproduces without any special command line args:

oomAtAllocation(1);
try {
    __defineGetter__();
} catch (e) {}
__defineGetter__();
There were a few issues with properly resetting state on OOM during script cloning. This patch fixes those and cleans up some assertions.
Attachment #8664209 - Flags: review?(jdemooij)
Assignee: nobody → till
Status: NEW → ASSIGNED
Comment on attachment 8664209 [details] [diff] [review]
Properly handle OOM during script cloning

Review of attachment 8664209 [details] [diff] [review]:
-----------------------------------------------------------------

Good find.

::: js/src/jit-test/tests/SIMD/unbox.js
@@ +1,1 @@
> +

Nit: revert the changes to this test.
Attachment #8664209 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/753791138b8eedaf90abf046a2b138e0aa37a386
Bug 1188347 - Part 3: Only run test relying on debug builds in debug builds. r=bustage
Flags: needinfo?(till)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: