Closed Bug 1188347 Opened 10 years ago Closed 9 years ago

Assertion failure: !hasUncompiledScript(), at js/src/shell/../jsfun.h:377 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox44 --- fixed

People

(Reporter: decoder, Assigned: till)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

Properly handle OOM during script cloning
3.85 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision d3228c82badd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks): function oomTest(f) { var i = 1; do { try { oomAtAllocation(i); f(); } catch (e) {} more = resetOOMFailure(); } while(more); } oomTest(__defineGetter__); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #0 0x0000000000427298 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #1 0x0000000000493c80 in nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:377 #2 JSFunction::getOrCreateScript (this=<optimized out>, cx=<optimized out>) at js/src/shell/../jsfun.h:340 #3 0x00000000006bc14a in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:723 #4 0x00000000006ae262 in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2972 #5 0x00000000006bbb23 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:661 #6 0x00000000006c6836 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:902 #7 0x00000000006c8b23 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:936 #8 0x0000000000ac6e26 in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4334 #9 0x0000000000ac6f9b in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4365 #10 0x00000000004284fd in RunFile (compileOnly=false, file=0x7ffff6998c00, filename=0x7fffffffe09d "min.js", cx=0x7ffff6907000) at js/src/shell/js.cpp:458 #11 Process (cx=cx@entry=0x7ffff6907000, filename=0x7fffffffe09d "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:576 #12 0x0000000000477718 in ProcessArgs (op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:5771 #13 Shell (envp=<optimized out>, op=0x7fffffffdb10, cx=0x7ffff6907000) at js/src/shell/js.cpp:6040 #14 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6384 rax 0x0 0 rbx 0x7ffff693c000 140737330266112 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffcc70 140737488342128 rsp 0x7fffffffcc70 140737488342128 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffca30 140737488341552 r11 0x7ffff6c27960 140737333328224 r12 0x0 0 r13 0x1 1 r14 0x7ffff6907000 140737330049024 r15 0x0 0 rip 0x427298 <JSFunction::nonLazyScript() const+28> => 0x427298 <JSFunction::nonLazyScript() const+28>: movl $0x179,0x0 0x4272a3 <JSFunction::nonLazyScript() const+39>: callq 0x498fe0 <abort()>
Fixing this is required to file more OOM bugs that reduce down to this one. Marking fuzzblocker and asking Hannes for directions.
Flags: needinfo?(hv1989)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
I haven't been able to digg into it fully. But it seems related to selfhosting, I think. The function is a function where we mark it as SELF_HOSTED. But we never add the script to it. Could it be it failed compiling? But we don't catch it? Could you take a look till?
Flags: needinfo?(hv1989) → needinfo?(till)
Investigating. The following reproduces without any special command line args: oomAtAllocation(1); try { __defineGetter__(); } catch (e) {} __defineGetter__();
There were a few issues with properly resetting state on OOM during script cloning. This patch fixes those and cleans up some assertions.
Attachment #8664209 - Flags: review?(jdemooij)
Assignee: nobody → till
Status: NEW → ASSIGNED
Comment on attachment 8664209 [details] [diff] [review] Properly handle OOM during script cloning Review of attachment 8664209 [details] [diff] [review]: ----------------------------------------------------------------- Good find. ::: js/src/jit-test/tests/SIMD/unbox.js @@ +1,1 @@ > + Nit: revert the changes to this test.
Attachment #8664209 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/753791138b8eedaf90abf046a2b138e0aa37a386 Bug 1188347 - Part 3: Only run test relying on debug builds in debug builds. r=bustage
Flags: needinfo?(till)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: