Closed Bug 1207569 Opened 9 years ago Closed 9 years ago

Assertion failure: OOM_maxAllocations == (4294967295U), at ../../dist/include/js/Utility.h:207

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1209911
Tracking Flags:
Tracking Status
firefox44 --- affected

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:]) 

The following testcase crashes on mozilla-central revision 19b4265d0d56 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager):

function fn(i) {
  if (i == 3)
    return ["isFinite"].map(function (module) {});
}
try {
    oomAtAllocation(50);
    fn(3);
} catch(e) {}



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000005b6bf5 in ~AutoEnterOOMUnsafeRegion (this=<synthetic pointer>, __in_chrg=<optimized out>) at ../../dist/include/js/Utility.h:207
#0  0x00000000005b6bf5 in ~AutoEnterOOMUnsafeRegion (this=<synthetic pointer>, __in_chrg=<optimized out>) at ../../dist/include/js/Utility.h:207
#1  js::LifoAlloc::allocInfallible (this=<optimized out>, n=72) at js/src/ds/LifoAlloc.h:284
#2  0x00000000009c97ba in allocateInfallible (bytes=72, this=0x7ffff330d020) at js/src/jit/JitAllocPolicy.h:40
#3  operator new (alloc=..., nbytes=72) at js/src/jit/JitAllocPolicy.h:149
#4  js::jit::MResumePoint::New (alloc=..., block=0x7ffff33140e0, pc=pc@entry=0x7ffff69ceb67 ":", mode=mode@entry=js::jit::MResumePoint::ResumeAfter) at js/src/jit/MIR.cpp:3135
#5  0x00000000008f33b2 in js::jit::IonBuilder::resume (this=this@entry=0x7ffff330d1a8, ins=ins@entry=0x7ffff3314a88, pc=0x7ffff69ceb67 ":", mode=js::jit::MResumePoint::ResumeAfter) at js/src/jit/IonBuilder.cpp:7518
#6  0x0000000000927caa in resumeAfter (ins=0x7ffff3314a88, this=0x7ffff330d1a8) at js/src/jit/IonBuilder.cpp:7534
#7  js::jit::IonBuilder::makeCall (this=0x7ffff330d1a8, target=<optimized out>, callInfo=...) at js/src/jit/IonBuilder.cpp:6609
#8  0x000000000097006e in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff330d1a8, argc=<optimized out>, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6421
#9  0x0000000000969d2b in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff330d1a8, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1839
#10 0x000000000096ae80 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff330d1a8) at js/src/jit/IonBuilder.cpp:1501
#11 0x000000000096b2c5 in js::jit::IonBuilder::build (this=0x7ffff330d1a8) at js/src/jit/IonBuilder.cpp:900
#12 0x0000000000990bc1 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907000, script=script@entry=0x7ffff7e63300, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2173
#13 0x000000000099150a in js::jit::Compile (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2404
#14 0x00000000009919ab in js::jit::CanEnter (cx=cx@entry=0x7ffff6907000, state=...) at js/src/jit/Ion.cpp:2563
#15 0x00000000006f9a4d in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:685
#16 0x00000000006fa26f in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#17 0x00000000006faddd in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffc108, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823
#18 0x00000000008c7dfa in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffffc148, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc0f8, res=...) at js/src/jit/BaselineIC.cpp:8900
#19 0x00007ffff7feef9f in ?? ()
#20 0x00007fffffffc0e0 in ?? ()
#21 0x00007fffffffc0b0 in ?? ()
#22 0xfff9000000000000 in ?? ()
#23 0x0000000001b56e60 in js::jit::DoSpreadCallFallbackInfo ()
#24 0x00007ffff7e55b80 in ?? ()
[...]
#63 0x000000000086d7dd in EnterBaseline (cx=0x0, data=...) at js/src/jit/BaselineJIT.cpp:126
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax	0x0	0
rbx	0x7ffff3314b70	140737273482096
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb200	140737488335360
rsp	0x7fffffffb1c0	140737488335296
r8	0x7ffff7fe0780	140737354008448
r9	0x3428203d3d20736e	3758289336431309678
r10	0x7fffffffaf80	140737488334720
r11	0x7ffff6c27960	140737333328224
r12	0x48	72
r13	0x0	0
r14	0x7ffff69ceb00	140737330866944
r15	0x7ffff3321180	140737273532800
rip	0x5b6bf5 <js::LifoAlloc::allocInfallible(unsigned long)+389>
=> 0x5b6bf5 <js::LifoAlloc::allocInfallible(unsigned long)+389>:	movl   $0xcf,0x0
   0x5b6c00 <js::LifoAlloc::allocInfallible(unsigned long)+400>:	callq  0x495fc0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
This is happening because OOM_maxAllocations can be accessed by multiple threads in a totally non-threadsafe way.  This only affects debug builds.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Assignee: nobody → jcoppeard
Depends on: 1209911
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1209911
You need to log in before you can comment on or make changes to this bug.