Closed Bug 1212298 Opened 10 years ago Closed 10 years ago

Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 (bailout Ion -> baseline)

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox44 --- fixed
firefox45 --- fixed
firefox46 --- fixed
b2g-v2.5 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:ignore])

Attachments

(1 file)

Patch
1.12 KB, patch
shu
: review+
ritu
: approval-mozilla-aurora+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager): for (var e = 1; e < 10000; e++) { new(function(arguments, message, get) { eval("var y"); }); } Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0884e3d8 in JSScript::getStaticBlockScope (this=0xf3e750d0, pc=pc@entry=0xf4080868 "{") at js/src/jsscript.cpp:3815 #1 0x0884e799 in innermostStaticScopeInScript (pc=0xf4080868 "{", pc@entry=0x0, this=0xf3e750d0) at js/src/jsscript.cpp:3867 #2 JSScript::innermostStaticScope (this=0xf3e750d0, pc=pc@entry=0xf4080868 "{") at js/src/jsscript.cpp:3877 #3 0x082080fe in js::DirectEvalStringFromIon (cx=0xf7277020, scopeobj=..., callerScript=..., thisValue=..., newTargetValue=..., str=..., pc=0xf4080868 "{", vp=...) at js/src/builtin/Eval.cpp:397 #4 0xf746d086 in ?? () eax 0x0 0 ebx 0x97a3434 159003700 ecx 0xf762488c -144553844 edx 0x0 0 esi 0xf4080868 -200800152 edi 0xffbf57f0 -4237328 ebp 0xffbf5748 4290729800 esp 0xffbf5710 4290729744 eip 0x884e3d8 <JSScript::getStaticBlockScope(unsigned char*)+200> => 0x884e3d8 <JSScript::getStaticBlockScope(unsigned char*)+200>: movl $0xee7,0x0 0x884e3e2 <JSScript::getStaticBlockScope(unsigned char*)+210>: call 0x80f1660 <abort()>
Wohoo, I get another assert on Mac OS X (release-debug build): Assertion failure: v.isUndefined() || v.isMagic(JS_OPTIMIZED_OUT), at js/src/jit/BaselineBailouts.cpp:691 Segmentation fault: 11
Also on debug. Value appears to be garbage: (JS::Value) $0 = { data = { asBits = 18158514807639138304 debugView = (payload47 = 1110081298432, tag = -2048) s = { payload = (i32 = 1979736064, u32 = 1979736064, why = 1979736064) } asDouble = -1.9495432220209402E+289 asPtr = 0xfc00010276006000 asWord = 18158514807639138304 asUIntPtr = 18158514807639138304 } }
This is a simpler test case - no confusing argument names, no eval - that fails reliably with e=1098 on my system (debug build): for (var e = 1; e < 10000; e++) { print(e); var z = function(a, b, c) {} new z; } To fail, there must be a "new z" and z must be created within the loop. There's no evidence yet that the GC is running, for example. Not sure about interrupts, say. This looks like a generic JIT bailout bug, not OOM related.
Component: JavaScript Engine → JavaScript Engine: JIT
Summary: Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 with OOM → Assertion failure: containsPC(pc), at js/src/jsscript.cpp:3815 (bailout Ion -> baseline)
Whiteboard: [jsbugmon:ignore][js-oom2015] → [jsbugmon:ignore]
(In reply to Lars T Hansen [:lth] from comment #3) > This looks like a generic JIT bailout bug, not OOM related. Setting needinfo? from Jan, please feel free to forward this to someone else as deemed suitable.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
This is an older bug with direct eval calls inside an inlined function in Ion, but it was likely exposed by bug 1199143. Since that bug, we inline heavyweight functions in Ion (all functions containing eval are heavyweight).
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8702946 - Flags: review?(shu)
Comment on attachment 8702946 [details] [diff] [review] Patch Review of attachment 8702946 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/CodeGenerator.cpp @@ +3690,5 @@ > > pushArg(ImmPtr(lir->mir()->pc())); > pushArg(string); > pushArg(ToValue(lir, LCallDirectEval::NewTarget)); > + pushArg(ImmGCPtr(current->mir()->info().script())); Doh, nice catch fuzzers.
Attachment #8702946 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/09ba8930629d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Comment on attachment 8702946 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: Bug 1199143. [User impact if declined]: Crashes. [Describe test coverage new/current, TreeHerder]: Adds a test that was fixed. [Risks and why]: Very low risk. The patch is a safe and simple one-liner, I think we should just take it on aurora/beta. [String/UUID change made/needed]: None.
Attachment #8702946 - Flags: approval-mozilla-beta?
Attachment #8702946 - Flags: approval-mozilla-aurora?
Comment on attachment 8702946 [details] [diff] [review] Patch Fixes a crash and has an automated test, beta44+, aurora45+
Attachment #8702946 - Flags: approval-mozilla-beta?
Attachment #8702946 - Flags: approval-mozilla-beta+
Attachment #8702946 - Flags: approval-mozilla-aurora?
Attachment #8702946 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: