Closed Bug 1211962 Opened 10 years ago Closed 10 years ago

Assertion failure: nativeOffset >= lastEntry.nativeOffset.offset(), at js/src/jit/shared/CodeGenerator-shared.cpp:225

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: decoder, Assigned: nbp)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

Attachments

(1 file)

addNativeToBytecodeEntry: Check that the masm.currentOffset() returns a valid result.
1.12 KB, patch
djvj
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-offthread-compile=off --baseline-eager): const verbose = false; if (!("oomAtAllocation" in this && "resetOOMFailure" in this)) quit(); if ("gczeal" in this) gczeal(0); function oomTest(f) { var i = 1; var more; do { if (verbose) print("fail at " + i); try { oomAtAllocation(i); f(); } catch (e) { // Ignore exceptions. } more = resetOOMFailure(); i++; } while(more); if (verbose) print("finished after " + i); } enableSPSProfiling(); var lfGlobal = newGlobal(); for (lfLocal in this) { lfGlobal[lfLocal] = this[lfLocal]; } const script = 'oomTest(() => getBacktrace({args: true, locals: "123795", thisprops: true}));'; lfGlobal.offThreadCompileScript(script); lfGlobal.runOffThreadScript(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000a93e86 in js::jit::CodeGeneratorShared::addNativeToBytecodeEntry (this=this@entry=0x7ffff39fa000, site=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:225 #0 0x0000000000a93e86 in js::jit::CodeGeneratorShared::addNativeToBytecodeEntry (this=this@entry=0x7ffff39fa000, site=<optimized out>) at js/src/jit/shared/CodeGenerator-shared.cpp:225 #1 0x00000000009b388c in js::jit::CodeGenerator::generateBody (this=this@entry=0x7ffff39fa000) at js/src/jit/CodeGenerator.cpp:4138 #2 0x00000000009b403a in js::jit::CodeGenerator::generate (this=this@entry=0x7ffff39fa000) at js/src/jit/CodeGenerator.cpp:7859 #3 0x00000000009b425e in js::jit::GenerateCode (mir=mir@entry=0x7ffff3802258, lir=0x7ffff3805288) at js/src/jit/Ion.cpp:1954 #4 0x00000000009b4345 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff3802258) at js/src/jit/Ion.cpp:1976 #5 0x00000000009b5df4 in js::jit::IonCompile (cx=cx@entry=0x7ffff6907400, script=script@entry=0x7ffff7ec4230, baselineFrame=baselineFrame@entry=0x7fffffffb0e8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2237 #6 0x00000000009b635a in js::jit::Compile (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb0e8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2406 #7 0x00000000009b6b10 in js::jit::CompileFunctionForBaseline (cx=cx@entry=0x7ffff6907400, script=script@entry=..., frame=frame@entry=0x7fffffffb0e8) at js/src/jit/Ion.cpp:2597 #8 0x0000000000898842 in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff6916209 "\232", script=..., frame=0x7fffffffb0e8, cx=0x7ffff6907400) at js/src/jit/BaselineIC.cpp:108 #9 js::jit::DoWarmUpCounterFallback (cx=0x7ffff6907400, frame=0x7fffffffb0e8, stub=<optimized out>, infoPtr=0x7fffffffb0c0) at js/src/jit/BaselineIC.cpp:269 #10 0x00007ffff7feffd9 in ?? () #11 0x0000000000000001 in ?? () #12 0x00007fffffffb088 in ?? () #13 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x1 1 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffaa20 140737488333344 rsp 0x7fffffffa9a0 140737488333216 r8 0x7ffff7fcc780 140737353926528 r9 0x732f74696a2f6372 8299980634368992114 r10 0x7fffffffa760 140737488332640 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff3802080 140737278648448 r13 0x7ffff39fa000 140737280712704 r14 0x30 48 r15 0x30 48 rip 0xa93e86 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1622> => 0xa93e86 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1622>: movl $0xe1,0x0 0xa93e91 <js::jit::CodeGeneratorShared::addNativeToBytecodeEntry(js::jit::BytecodeSite const*)+1633>: callq 0x4983a0 <abort()>
Assignee: nobody → nicolas.b.pierron
Attachment #8670395 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/5fda509015ba
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: