Closed Bug 1191756 Opened 9 years ago Closed 9 years ago

Crash [@ js::jit::IonBuilder::replaceTypeSet] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox43 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(2 files)

type.patch
1.42 KB, patch
jonco
: review+
Details | Diff | Splinter Review
improvetests.patch
2.10 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision f3b757156f69 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager):

var lfcode = new Array();
lfcode.push = loadFile;
setJitCompilerOption("ion.warmup.trigger", 20);
lfcode.push(`
function heavyFn1(i) { 
    if (i == 3)
      return [ "isFinite"].map(function (i) {});
    return [];
}
    for (var i = 0; oomAfterAllocations(50); i++)
      heavyFn1(i);
`);
function loadFile(lfVarx) {
    var lfGlobal = newGlobal();
    lfGlobal.offThreadCompileScript(lfVarx);
    lfGlobal.runOffThreadScript();
}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::jit::IonBuilder::replaceTypeSet (this=0x7fffffffa090, subject=0x7ffff33302a0, type=0x0, test=0x7ffff3330b70) at js/src/jit/IonBuilder.cpp:3420
#0  js::jit::IonBuilder::replaceTypeSet (this=0x7fffffffa090, subject=0x7ffff33302a0, type=0x0, test=0x7ffff3330b70) at js/src/jit/IonBuilder.cpp:3420
#1  0x000000000094f426 in js::jit::IonBuilder::improveTypesAtTest (this=this@entry=0x7fffffffa090, ins=0x7ffff33302a0, trueBranch=trueBranch@entry=false, test=test@entry=0x7ffff3330b70) at js/src/jit/IonBuilder.cpp:3841
#2  0x000000000094f35f in js::jit::IonBuilder::improveTypesAtTest (this=this@entry=0x7fffffffa090, ins=0x7ffff3330348, trueBranch=<optimized out>, test=test@entry=0x7ffff3330b70) at js/src/jit/IonBuilder.cpp:3721
#3  0x0000000000976ea4 in js::jit::IonBuilder::jsop_ifeq (this=0x7fffffffa090, op=op@entry=JSOP_IFEQ) at js/src/jit/IonBuilder.cpp:4311
#4  0x0000000000994b06 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7fffffffa090, op=op@entry=JSOP_IFEQ) at js/src/jit/IonBuilder.cpp:1635
#5  0x0000000000995940 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7fffffffa090) at js/src/jit/IonBuilder.cpp:1506
#6  0x0000000000995d85 in js::jit::IonBuilder::build (this=0x7fffffffa090) at js/src/jit/IonBuilder.cpp:905
#7  0x0000000000997dc8 in js::jit::AnalyzeArgumentsUsage (cx=cx@entry=0x7ffff6907000, scriptArg=<optimized out>) at js/src/jit/IonAnalysis.cpp:3537
#8  0x00000000006ba862 in ensureHasAnalyzedArgsUsage (cx=0x7ffff6907000, this=<optimized out>) at js/src/jsscriptinlines.h:156
#9  Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3365
#10 0x00000000006bf073 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:752
#11 0x00000000006bfa94 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:829
#12 0x00000000006b1eaa in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3073
#13 0x00000000006bf073 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:752
#14 0x00000000006c9966 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fffffffbd88) at js/src/vm/Interpreter.cpp:993
#15 0x00000000006cbb63 in js::Execute (cx=cx@entry=0x7ffff6907000, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fffffffbd88) at js/src/vm/Interpreter.cpp:1027
#16 0x0000000000ad3ebb in ExecuteScript (cx=cx@entry=0x7ffff6907000, scope=..., script=..., rval=0x7fffffffbd88) at js/src/jsapi.cpp:4374
#17 0x0000000000ad3faf in JS_ExecuteScript (cx=cx@entry=0x7ffff6907000, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4399
#18 0x0000000000480261 in runOffThreadScript (cx=0x7ffff6907000, argc=<optimized out>, vp=0x7fffffffbd88) at js/src/shell/js.cpp:3352
#19 0x00000000006cf7f2 in js::CallJSNative (cx=0x7ffff6907000, native=0x480150 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#20 0x00000000006bf982 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:811
#21 0x00000000006c13f9 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff32050a8, rval=...) at js/src/vm/Interpreter.cpp:866
#22 0x0000000000bf1a64 in js::DirectProxyHandler::call (this=this@entry=0x1b38ca0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#23 0x0000000000bf6382 in js::CrossCompartmentWrapper::call (this=0x1b38ca0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#24 0x0000000000bef5c2 in js::Proxy::call (cx=cx@entry=0x7ffff6907000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#25 0x0000000000bef67e in js::proxy_Call (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:697
#26 0x00000000006cf7f2 in js::CallJSNative (cx=0x7ffff6907000, native=0xbef5e0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#27 0x00000000006bfc1b in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:799
#28 0x00000000006b1eaa in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3073
#29 0x00000000006bf073 in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:752
#30 0x00000000006bfa94 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:829
#31 0x00000000006c13f9 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffcee8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:866
#32 0x00000000008eabda in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffcf28, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffced8, res=...) at js/src/jit/BaselineIC.cpp:10054
#33 0x00007ffff7feebdf in ?? ()
[...]
#58 0x00007ffff7e5e060 in ?? ()
#59 0x000000000080c0bf in js::Activation::Activation (this=0xfffc7ffff7e76d80, cx=0x8, kind=(unknown: 1028)) at js/src/vm/Stack-inl.h:895
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax	0x0	0
rbx	0x7ffff33302a0	140737273594528
rcx	0x7ffff3330b70	140737273596784
rdx	0x0	0
rsi	0x7ffff33302a0	140737273594528
rdi	0x7fffffffa090	140737488330896
rbp	0x7fffffff9a90	140737488329360
rsp	0x7fffffff9a20	140737488329248
r8	0x1	1
r9	0xb470	46192
r10	0x7ffff6926d80	140737330179456
r11	0x8	8
r12	0x7fffffffa090	140737488330896
r13	0x7fffffff9ac0	140737488329408
r14	0x7ffff3330b70	140737273596784
r15	0x7ffff332c150	140737273577808
rip	0x939ab1 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>
=> 0x939ab1 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+17>:	mov    (%rdx),%eax
   0x939ab3 <js::jit::IonBuilder::replaceTypeSet(js::jit::MDefinition*, js::TemporaryTypeSet*, js::jit::MTest*)+19>:	mov    %rdx,-0x58(%rbp)
Attached patch type.patchSplinter Review 
Another OOM, easy to fix. I couldn't have the test testing anything without using allow-uncatchable-oom and oomAfterAllocations, that is having it triggering the assertion without the patch and having it triggered with oomTest().
Attachment #8646445 - Flags: review?(jcoppeard)
Attachment #8646445 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/a837c35902be
Assignee: nobody → benj
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
r=jonco on irc. It just changes the two tests so that they don't exit with the error code 3 all the time.
Attachment #8647557 - Flags: review+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: