Closed
Bug 1212258
Opened 9 years ago
Closed 9 years ago
Assertion failure: offset_ == offset, at js/src/jit/Label.h:63
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1215555
People
(Reporter: decoder, Assigned: nbp)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])
Attachments
(1 file)
|
1.26 KB,
patch
|
jolesen
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-simulator=arm --enable-debug, run with --baseline-eager --arm-asm-nop-fill=1 min.js): function h(f, inputs) { for (var j = 0; j < 99; ++j) { for (var k = 0; k < 99; ++k) { oomAfterAllocations(10) } } } m = function(y) {}; h(m, []); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x087020ad in use (offset=<optimized out>, this=<optimized out>) at js/src/jit/Label.h:63 #0 0x087020ad in use (offset=<optimized out>, this=<optimized out>) at js/src/jit/Label.h:63 #1 js::jit::Assembler::as_b (this=this@entry=0xffffb438, l=l@entry=0xffffb37c, c=c@entry=js::jit::Assembler::Always) at js/src/jit/arm/Assembler-arm.cpp:2418 #2 0x0866256c in jump (label=0xffffb37c, this=0xffffb438) at js/src/jit/arm/MacroAssembler-arm.h:629 #3 js::jit::MacroAssembler::loadStringChars (this=this@entry=0xffffb438, str=str@entry=..., dest=dest@entry=...) at js/src/jit/MacroAssembler.cpp:1313 #4 0x085feb74 in ConcatInlineString (failurePopTemps=0xffffb3fc, isTwoByte=false, failure=0xffffb3f8, temp3=..., temp2=..., temp1=..., output=..., rhs=..., lhs=..., masm=...) at js/src/jit/CodeGenerator.cpp:6004 #5 js::jit::JitCompartment::generateStringConcatStub (this=this@entry=0xf4ce2640, cx=cx@entry=0xf7a7f020) at js/src/jit/CodeGenerator.cpp:6219 #6 0x086137e6 in ensureIonStubsExist (cx=0xf7a7f020, this=0xf4ce2640) at js/src/jit/Ion.cpp:401 #7 js::jit::IonCompile (cx=cx@entry=0xf7a7f020, script=script@entry=0xf4d4d160, baselineFrame=baselineFrame@entry=0xf4fffda0, osrPc=osrPc@entry=0xf7a8ec67 "\343\201V", constructing=constructing@entry=false, recompile=false, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2114 #8 0x08613feb in js::jit::Compile (cx=cx@entry=0xf7a7f020, script=script@entry=..., osrFrame=osrFrame@entry=0xf4fffda0, osrPc=osrPc@entry=0xf7a8ec67 "\343\201V", constructing=false, forceRecompile=false) at js/src/jit/Ion.cpp:2406 #9 0x0861423b in js::jit::CanEnterAtBranch (cx=cx@entry=0xf7a7f020, script=script@entry=..., osrFrame=osrFrame@entry=0xf4fffda0, pc=pc@entry=0xf7a8ec67 "\343\201V") at js/src/jit/Ion.cpp:2493 #10 0x084f7e85 in EnsureCanEnterIon (stub=0xf7a1d3c0, jitcodePtr=<synthetic pointer>, pc=0xf7a8ec67 "\343\201V", script=..., frame=0xf4fffda0, cx=0xf7a7f020) at js/src/jit/BaselineIC.cpp:105 #11 js::jit::DoWarmUpCounterFallback (cx=cx@entry=0xf7a7f020, frame=frame@entry=0xf4fffda0, stub=stub@entry=0xf7a1d3c0, infoPtr=infoPtr@entry=0xf4fffd7c) at js/src/jit/BaselineIC.cpp:269 #12 0x0878ff16 in js::jit::Simulator::softwareInterrupt (this=0xf7a7e000, instr=0xf4cbc034) at js/src/jit/arm/Simulator-arm.cpp:2173 #13 0x087904c6 in js::jit::Simulator::decodeType7 (this=0xf7a7e000, instr=0xf4cbc034) at js/src/jit/arm/Simulator-arm.cpp:3314 #14 0x0878e4f5 in js::jit::Simulator::instructionDecode (this=this@entry=0xf7a7e000, instr=instr@entry=0xf4cbc034) at js/src/jit/arm/Simulator-arm.cpp:4233 #15 0x0879203c in execute<false> (this=0xf7a7e000) at js/src/jit/arm/Simulator-arm.cpp:4288 #16 js::jit::Simulator::callInternal (this=this@entry=0xf7a7e000, entry=entry@entry=0xf7c89340 "\377\377\377\352\360O-\351\377\377\377\352\004\320M\342\377\377\377\352\020\212-\355\377\377\377\352\r\200\240\341\377\377\377\352h\220\235\345\377\377\377\352\r\260\240\341\377\377\377\352t\240\235\345\377\377\377", <incomplete sequence \352>) at js/src/jit/arm/Simulator-arm.cpp:4376 [...] #41 main (argc=4, argv=0xffffd904, envp=0xffffd918) at js/src/shell/js.cpp:6579 eax 0x0 0 ebx 0x979d51c 158979356 ecx 0xf7e4388c -136038260 edx 0x0 0 esi 0x0 0 edi 0xffffb36c -19604 ebp 0xffffb338 4294947640 esp 0xffffb2e0 4294947552 eip 0x87020ad <js::jit::Assembler::as_b(js::jit::Label*, js::jit::Assembler::Condition)+621> => 0x87020ad <js::jit::Assembler::as_b(js::jit::Label*, js::jit::Assembler::Condition)+621>: movl $0x3f,0x0 0x87020b7 <js::jit::Assembler::as_b(js::jit::Label*, js::jit::Assembler::Condition)+631>: call 0x80efd80 <abort()>
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → nicolas.b.pierron
|
|
Assignee | |
Comment 1•9 years ago
|
||
The problem lies in the fact that ret.getOffset() returns a poisoned value which is not safe for the assertions inside Label::use.
Attachment #8670716 -
Flags: review?(jolesen)
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8670716 [details] [diff] [review] Add oom check before reading the BufferOffset for debug assertions. Review of attachment 8670716 [details] [diff] [review]: ----------------------------------------------------------------- The failing assert in the LabelBase class looks a bit weird: int32_t use(int32_t offset) { MOZ_ASSERT(!bound()); int32_t old = offset_; offset_ = offset; MOZ_ASSERT(offset_ == offset); return old; The point is that offset_ is a 32-bit bitfield, and the assertion is verifying that the bitfield didn't overflow. Maybe we should add a comment to the assertion? MOZ_ASSERT(offset_ == offset, "bitfield overflow"); ::: js/src/jit/arm/Assembler-arm.cpp @@ +2423,3 @@ > DebugOnly<int32_t> check = l->use(ret.getOffset()); > MOZ_ASSERT(check == old); > return ret; The AssemblerBuffer returns an unassigned BufferOffset in case of an OOM, so you can just say: if (ret.assigned()) { DebugOnly<int32_t> check = l->use(ret.getOffset()); MOZ_ASSERT(check == old); } return ret;
Attachment #8670716 -
Flags: review?(jolesen) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
Comment on attachment 8670716 [details] [diff] [review] Add oom check before reading the BufferOffset for debug assertions. Review of attachment 8670716 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/ion/bug1212258.js @@ +1,1 @@ > +function h(f, inputs) { self-nit: Add jit-test oom tag here.
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/da767cf4ce86 for SM(e) orange: https://treeherder.mozilla.org/logviewer.html#?job_id=15395548&repo=mozilla-inbound
Flags: needinfo?(nicolas.b.pierron)
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(nicolas.b.pierron)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•