Closed Bug 1211962 Opened 9 years ago Closed 9 years ago

Assertion failure: nativeOffset >= lastEntry.nativeOffset.offset(), at js/src/jit/shared/CodeGenerator-shared.cpp:225

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

Attachments

(1 file)

addNativeToBytecodeEntry: Check that the masm.currentOffset() returns a valid result.
1.12 KB, patch
djvj
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --baseline-eager):

const verbose = false;
if (!("oomAtAllocation" in this && "resetOOMFailure" in this))
    quit();
if ("gczeal" in this)
    gczeal(0);
function oomTest(f) {
    var i = 1;
    var more;
    do {
        if (verbose)
            print("fail at " + i);
        try {
            oomAtAllocation(i);
            f();
        } catch (e) {
            // Ignore exceptions.
        }
        more = resetOOMFailure();
        i++;
    } while(more);

    if (verbose)
        print("finished after " + i);
}
enableSPSProfiling();
var lfGlobal = newGlobal();
for (lfLocal in this) {
    lfGlobal[lfLocal] = this[lfLocal];
}
const script = 'oomTest(() => getBacktrace({args: true, locals: "123795", thisprops: true}));';
lfGlobal.offThreadCompileScript(script);
lfGlobal.runOffThreadScript();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a93e86 in js::jit::CodeGeneratorShared::addNativeToBytecodeEntry (this=this@entry=0x7ffff39fa000, site=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:225
#0  0x0000000000a93e86 in js::jit::CodeGeneratorShared::addNativeToBytecodeEntry (this=this@entry=0x7ffff39fa000, site=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:225
#1  0x00000000009b388c in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff39fa000) at js/src/jit/CodeGenerator.cpp:4138
#2  0x00000000009b403a in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff39fa000) at js/src/jit/CodeGenerator.cpp:7859
#3  0x00000000009b425e in js::jit::GenerateCode (mir=mir@entry=0x7ffff3802258, lir=0x7ffff3805288) at js/src/jit/Ion.cpp:1954
#4  0x00000000009b4345 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff3802258) at js/src/jit/Ion.cpp:1976
#5  0x00000000009b5df4 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907400, script=script@entry=0x7ffff7ec4230, baselineFrame=baselineFrame@entry=0x7fffffffb0e8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2237
#6  0x00000000009b635a in js::jit::Compile (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb0e8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2406
#7  0x00000000009b6b10 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x7ffff6907400, script=script@entry=..., frame=frame@entry=0x7fffffffb0e8) at js/src/jit/Ion.cpp:2597
#8  0x0000000000898842 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6916209 "\232", script=..., frame=0x7fffffffb0e8, cx=0x7ffff6907400) at js/src/jit/BaselineIC.cpp:108
#9  js::jit::DoWarmUpCounterFallback (cx=0x7ffff6907400, frame=0x7fffffffb0e8, stub=<optimized out>, infoPtr=0x7fffffffb0c0) at js/src/jit/BaselineIC.cpp:269
#10 0x00007ffff7feffd9 in ?? ()
#11 0x0000000000000001 in ?? ()
#12 0x00007fffffffb088 in ?? ()
#13 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x1	1
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffaa20	140737488333344
rsp	0x7fffffffa9a0	140737488333216
r8	0x7ffff7fcc780	140737353926528
r9	0x732f74696a2f6372	8299980634368992114
r10	0x7fffffffa760	140737488332640
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff3802080	140737278648448
r13	0x7ffff39fa000	140737280712704
r14	0x30	48
r15	0x30	48
rip	0xa93e86 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1622>
=> 0xa93e86 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1622>:	movl   $0xe1,0x0
   0xa93e91 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1633>:	callq  0x4983a0 <abort()>
Assignee: nobody → nicolas.b.pierron
Attachment #8670395 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/5fda509015ba
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: