Closed Bug 1209585 Opened 9 years ago Closed 9 years ago

Assertion failure: baselineCallReturnAddrs_[constructing] == nullptr, at js/src/jit/JitCompartment.h:418

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(1 file)

bug1209585-baseline
8.39 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 79a5b2968d01 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-offthread-compile=off):

eval("g=function() {}")
var lfGlobal = newGlobal();
for (lfLocal in this) { 
    if (!(lfLocal in lfGlobal)) { 
        lfGlobal[lfLocal] = this[lfLocal]; 
    }
}
lfGlobal.offThreadCompileScript(`
if (!("oomAtAllocation" in this && "resetOOMFailure" in this))
    gczeal(0);
function oomTest(f) {
    var i = 1;
    do {
        try {
            oomAtAllocation(i);
            f();
        } catch (e) {
            more = resetOOMFailure();
        }
        i++;
    } while(more);
}
var g = newGlobal();
oomTest(function() { new revocable(); });
`);
lfGlobal.runOffThreadScript();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000873a57 in initBaselineCallReturnAddr (constructing=true, addr=0x7ffff7fde85e, this=<optimized out>) at js/src/jit/JitCompartment.h:418
#0  0x0000000000873a57 in initBaselineCallReturnAddr (constructing=true, addr=0x7ffff7fde85e, this=<optimized out>) at js/src/jit/JitCompartment.h:418
#1  js::jit::ICCall_Fallback::Compiler::postGenerateStubCode (this=<optimized out>, masm=..., code=...) at js/src/jit/BaselineIC.cpp:9414
#2  0x0000000000a937fe in js::jit::ICStubCompiler::getStubCode (this=this@entry=0x7fffffff9050) at js/src/jit/SharedIC.cpp:723
#3  0x000000000089f472 in getStub (space=0x7fffffff9fa8, this=0x7fffffff9050) at js/src/jit/BaselineIC.h:3961
#4  js::jit::BaselineCompiler::emitCall (this=this@entry=0x7fffffff9540) at js/src/jit/BaselineCompiler.cpp:2856
#5  0x00000000008be51d in emit_JSOP_NEW (this=0x7fffffff9540) at js/src/jit/BaselineCompiler.cpp:2895
#6  js::jit::BaselineCompiler::emitBody (this=this@entry=0x7fffffff9540) at js/src/jit/BaselineCompiler.cpp:999
#7  0x00000000008d07e9 in js::jit::BaselineCompiler::compile (this=this@entry=0x7fffffff9540) at js/src/jit/BaselineCompiler.cpp:111
#8  0x00000000008d1b6d in js::jit::BaselineCompile (cx=cx@entry=0x7ffff6907400, script=0x7ffff7e854a0, forceDebugInstrumentation=<optimized out>) at js/src/jit/BaselineJIT.cpp:264
#9  0x00000000008d22d9 in CanEnterBaselineJIT (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., osrFrame=osrFrame@entry=0x0) at js/src/jit/BaselineJIT.cpp:303
#10 0x00000000008d2567 in js::jit::CanEnterBaselineMethod (cx=cx@entry=0x7ffff6907400, state=...) at js/src/jit/BaselineJIT.cpp:371
#11 0x00000000006fcfeb in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:695
#12 0x00000000006fd7ef in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#13 0x00000000006fe35d in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffabb8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:823
#14 0x00000000008cf7cb in js::jit::DoCallFallback (cx=0x7ffff6907400, frame=0x7fffffffabf8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffaba8, res=...) at js/src/jit/BaselineIC.cpp:8904
#15 0x00007ffff7feef9f in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6907400	140737330050048
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff8560	140737488323936
rsp	0x7fffffff8530	140737488323888
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffff82f0	140737488323312
r11	0x7ffff6c27960	140737333328224
r12	0x7ffff7fde85e	140737354000478
r13	0x1	1
r14	0x7ffff6922940	140737330161984
r15	0x7ffff699ce88	140737330663048
rip	0x873a57 <js::jit::ICCall_Fallback::Compiler::postGenerateStubCode(js::jit::MacroAssembler&, JS::Handle<js::jit::JitCode*>)+199>
=> 0x873a57 <js::jit::ICCall_Fallback::Compiler::postGenerateStubCode(js::jit::MacroAssembler&, JS::Handle<js::jit::JitCode*>)+199>:	movl   $0x1a2,0x0
   0x873a62 <js::jit::ICCall_Fallback::Compiler::postGenerateStubCode(js::jit::MacroAssembler&, JS::Handle<js::jit::JitCode*>)+210>:	callq  0x497c70 <abort()>


Marking s-s until investigated because this is an assertion in the baseline compiler code.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150908004536" and the hash "e2021f179191b8352529d612238146655d8e8586".
The "bad" changeset has the timestamp "20150908004632" and the hash "c96fdda7972792eae00d16eee1a156304654f5e1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e2021f179191b8352529d612238146655d8e8586&tochange=c96fdda7972792eae00d16eee1a156304654f5e1
The bisection points to bug 1200642, but maybe that just added some testing functions?
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f2f8cb92dce4).
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
The problem here is that the initBaseline*ReturnAddr() methods called from postGenerateStubCode() assert that they are not called more than once, but ICStubCompiler::getStubCode() can fail with OOM after calling this.

This patch makes postGenerateStubCode() infallible and calls it after the last point at which we can fail.
Attachment #8669021 - Flags: review?(jdemooij)
Comment on attachment 8669021 [details] [diff] [review]
bug1209585-baseline

Review of attachment 8669021 [details] [diff] [review]:
-----------------------------------------------------------------

Awesome.
Attachment #8669021 - Flags: review?(jdemooij) → review+
(Removing sec flag as requested.)
Group: javascript-core-security
I don't think this is a security issue, it will just leak memory in a build without the assertion.
https://hg.mozilla.org/mozilla-central/rev/1e5b48206efe
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: