Closed Bug 1211100 Opened 9 years ago Closed 9 years ago

Assertion failure: (base.emplaceBack(pcToOffset(jumpTargets[i]))), at jsscript.cpp

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(3 files)

stack
4.11 KB, text/plain
Details
bug1211100-script-counts
1.01 KB, patch
Details | Diff | Splinter Review
bug1211100-script-counts v2
1.76 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug1207863.js
var i = 1;
do {
    try {
        oomAtAllocation(i);
        eval("");
    } catch (e) {
        x = resetOOMFailure();
    }
    i++;
} while (x && i < 99)

asserts js debug shell on m-c changeset 5f16c6c2b969 with --fuzzing-safe --no-threads --no-ion --no-baseline -D at Assertion failure: (base.emplaceBack(pcToOffset(jumpTargets[i]))), at jsscript.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 5f16c6c2b969

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c508580bb56d
user:        Jon Coppeard
date:        Wed Sep 30 11:34:48 2015 +0100
summary:     Bug 1200642 - Add OOM simulation to Vector r=Waldo

Jon, is bug 1200642 a likely regressor?
Flags: needinfo?(jcoppeard)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x6493a, 0x0000000100934135 js-dbg-64-dm-darwin-5f16c6c2b969`JSScript::initScriptCounts(this=<unavailable>, cx=0x0000000102c45400) + 2101 at jsscript.cpp:1337, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100934135 js-dbg-64-dm-darwin-5f16c6c2b969`JSScript::initScriptCounts(this=<unavailable>, cx=0x0000000102c45400) + 2101 at jsscript.cpp:1337
    frame #1: 0x00000001002ba7b3 js-dbg-64-dm-darwin-5f16c6c2b969`Interpret(cx=0x0000000102c45400, state=0x00007fff5fbfdf08) + 1891 at Interpreter.cpp:1983
    frame #2: 0x00000001002b9fd9 js-dbg-64-dm-darwin-5f16c6c2b969`js::RunScript(cx=0x0000000102c45400, state=0x00007fff5fbfdf08) + 441 at Interpreter.cpp:709
    frame #3: 0x00000001002d2594 js-dbg-64-dm-darwin-5f16c6c2b969`js::ExecuteKernel(cx=0x0000000102c45400, script=<unavailable>, scopeChainArg=0x0000000102d5c060, thisv=0x00007fff5fbfe290, newTargetValue=0x00007fff5fbfe040, type=EXECUTE_DIRECT_EVAL, evalInFrame=<unavailable>, result=<unavailable>) + 1364 at Interpreter.cpp:983
    frame #4: 0x00000001000dd407 js-dbg-64-dm-darwin-5f16c6c2b969`EvalKernel(cx=0x0000000102c45400, args=0x00007fff5fbfe9f0, evalType=DIRECT_EVAL, caller=<unavailable>, scopeobj=<unavailable>, pc="{") + 2887 at Eval.cpp:352
(lldb)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
The problem is that we don't know that emplaceBack() can't fail when simulating OOM.  But we can just use infallibleAppend() here instead.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8669620 - Flags: review?(nicolas.b.pierron)
Comment on attachment 8669620 [details] [diff] [review]
bug1211100-script-counts

Review of attachment 8669620 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.cpp
@@ -1333,5 @@
>      if (!base.reserve(jumpTargets.length()))
>          return false;
>  
>      for (size_t i = 0; i < jumpTargets.length(); i++)
> -        MOZ_ALWAYS_TRUE(base.emplaceBack(pcToOffset(jumpTargets[i])));

I would prefer if we can remove the lines in 

  https://dxr.mozilla.org/mozilla-central/source/mfbt/Vector.h#972-973

I used emplaceBack here to avoid a copy of the PCCount structure.
Otherwise, we can add an infallibleEmplaceBack function.
Attachment #8669620 - Flags: review?(nicolas.b.pierron)
Updated to add and use infallibleEmplaceBack().
Attachment #8669674 - Flags: review?(nicolas.b.pierron)
Attachment #8669674 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/f4ad05fe46f6
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: