Closed
Bug 1214781
Opened 9 years ago
Closed 9 years ago
Assertion failure: !cx->runtime()->hadOutOfMemory, at builtin/TestingFunctions.cpp
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
Tracking | Status | |
---|---|---|
firefox44 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
2.44 KB,
text/plain
|
Details | |
1.23 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
try {
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug720675.js
gcparam("maxBytes", gcparam("gcBytes"));
// jsfunfuzz-generated
newGlobal("");
} catch (e) {};
oomTest(function() {})
asserts js debug shell on m-c changeset 833c3c37daa6 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !cx->runtime()->hadOutOfMemory, at builtin/TestingFunctions.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 833c3c37daa6
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user: Jon Coppeard
date: Tue Oct 13 13:37:07 2015 +0100
summary: Bug 1212469 - Make oomTest() into a shell function r=nbp
Jon, is bug 1212469 a likely regressor?
Flags: needinfo?(jcoppeard)
Reporter | ||
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x10330e, 0x0000000100427ed1 js-dbg-64-dm-darwin-833c3c37daa6`OOMTest(cx=0x0000000102d45400, argc=<unavailable>, vp=0x00007fff5fbfe4f0) + 1169 at TestingFunctions.cpp:1145, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100427ed1 js-dbg-64-dm-darwin-833c3c37daa6`OOMTest(cx=0x0000000102d45400, argc=<unavailable>, vp=0x00007fff5fbfe4f0) + 1169 at TestingFunctions.cpp:1145
frame #1: 0x0000000100670df2 js-dbg-64-dm-darwin-833c3c37daa6`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x0000000102d45400, native=(js-dbg-64-dm-darwin-833c3c37daa6`OOMTest(JSContext*, unsigned int, JS::Value*) at TestingFunctions.cpp:1097))(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 174 at jscntxtinlines.h:235
frame #2: 0x0000000100670d44 js-dbg-64-dm-darwin-833c3c37daa6`js::Invoke(cx=0x0000000102d45400, args=0x00007fff5fbfe498, construct=<unavailable>) + 564 at Interpreter.cpp:784
frame #3: 0x00000001006965df js-dbg-64-dm-darwin-833c3c37daa6`js::Invoke(cx=0x0000000102d45400, thisv=0x00007fff5fbfe700, fval=<unavailable>, argc=<unavailable>, argv=<unavailable>, rval=<unavailable>) + 671 at Interpreter.cpp:839
frame #4: 0x000000010098639b js-dbg-64-dm-darwin-833c3c37daa6`js::jit::DoCallFallback(cx=0x0000000102d45400, frame=0x00007fff5fbfe928, stub_=0x0000000102ddf9c8, argc=1, vp=0x00007fff5fbfe8d0, res=<unavailable>) + 2795 at BaselineIC.cpp:9033
(lldb)
Comment 2•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> The first bad revision is:
> changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
> user: Jon Coppeard
> date: Tue Oct 13 13:37:07 2015 +0100
> summary: Bug 1212469 - Make oomTest() into a shell function r=nbp
>
> Jon, is bug 1212469 a likely regressor?
I would say no, this patch converted the testing function to a builtin which asserts that we report OOM with a coherent state. Thus it might become a common root of some existing OOM bugs.
I think, one of the biggest issue here, is not the fact that we assert, but the fact that this assertion stack would be a catch-all for a collections of issues.
I guess this would probably become a fuzzblocker, and we should probably display the OOM C++ stack when this assertion fails.
Assignee | ||
Comment 3•9 years ago
|
||
We need to clear the hadOutOfMemory flag on the runtime in oomTest() on entry as it may be set by a previous OOM condition.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8674166 -
Flags: review?(terrence)
Updated•9 years ago
|
Attachment #8674166 -
Flags: review?(terrence) → review+
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•