Closed Bug 1216277 Opened 9 years ago Closed 9 years ago

Assertion failure: nativeOffset >= entry.endOffset.offset(), at jit/shared/CodeGenerator-shared.cpp or Assertion failure: (attempts_->append(OptimizationAttempt(strategy, outcome))), or Assertion failure: length() % sizeof(uint32_t) == 0,

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox44 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(4 files)

stack
5.27 KB, text/plain
Details
stack for Assertion failure: (attempts_->append(OptimizationAttempt(strategy, outcome)))
4.18 KB, text/plain
Details
stack for Assertion failure: length() % sizeof(uint32_t) == 0
4.06 KB, text/plain
Details
bug1216277-optimisation-tracking-oom
5.50 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The upcoming testcase asserts js debug shell on m-c changeset 1a157155a4fe with --fuzzing-safe --no-threads --baseline-eager at Assertion failure: nativeOffset >= entry.endOffset.offset(), at jit/shared/CodeGenerator-shared.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 1a157155a4fe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/46cd97a3b2e6
user:        Jon Coppeard
date:        Tue Oct 13 13:37:08 2015 +0100
summary:     Bug 1212469 - Fix some OOM handling issues shown up by the previous patch r=jandem

Jon, is bug 1212469 a likely regressor?
Flags: needinfo?(jcoppeard)
Attached file stack 
(lldb) bt 5
* thread #1: tid = 0x232a19, 0x00000001003c2151 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGeneratorShared::extendTrackedOptimizationsEntry(this=<unavailable>, optimizations=<unavailable>) + 353 at CodeGenerator-shared.cpp:361, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003c2151 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGeneratorShared::extendTrackedOptimizationsEntry(this=<unavailable>, optimizations=<unavailable>) + 353 at CodeGenerator-shared.cpp:361
    frame #1: 0x00000001001890ce js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGenerator::generateBody(this=0x0000000104fe1000) + 1054 at CodeGenerator.cpp:4163
    frame #2: 0x00000001001a2f82 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGenerator::generate(this=0x0000000104fe1000) + 562 at CodeGenerator.cpp:7883
    frame #3: 0x00000001001df64f js-dbg-64-dm-darwin-1a157155a4fe`js::jit::GenerateCode(mir=0x0000000104fd11a8, lir=0x0000000104fd4dd0) + 351 at Ion.cpp:1957
    frame #4: 0x00000001001df735 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CompileBackEnd(mir=0x0000000104fd11a8) + 101 at Ion.cpp:1979
(lldb)
function loopModulo() {
    return (replace(/\\/g, "\\\\") ^ -~"\"");
}
var Random = {
    weighted: function(wa) {},
};
function cat() {
    switch (print()) {}
}
var intExpr = autoExpr(Random.weighted([]));
var intishExpr = autoExpr(Random.weighted([]));
var signedExpr = autoExpr(Random.weighted([]));
var doublishExpr = autoExpr(Random.weighted([]));
var doubleExpr = autoExpr(Random.weighted([]));
var intishMemberExpr = autoExpr(Random.weighted([]));
var doublishMemberExpr = autoExpr(Random.weighted([]));
var anyAsmExpr = [intExpr, intishExpr];
function autoExpr() {}
var lvalueMakers = [];
function makeShapeyValue() {}
function regexTerm() {}
function infrequentCondition() {}
var arrayBufferType = function() {};
var tryRunning = tryRunningDirectly;
function tryRunningDirectly(code) {
    try {
        f();
    } catch (e) {}
}
function tryItOut(code) {
    f = new Function(code);
    tryRunning(code);
}
// Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug925308.js
tryItOut("\
    load(\"zz1875.js\");\
");
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/oomInFormatStackDump.js
tryItOut("oomTest(() => getBacktrace({args: true, locals: true, thisprops: true}));");


and zz1875.js is:


var lfcode = new Array();
lfcode.push("3");
lfcode.push("enableSPSProfiling();foo();");
while (true) {
    var file = lfcode.shift();
    loadFile(file)
}
function loadFile(lfVarx) {
    if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
        switch (lfRunTypeId) {
            default: function newFunc(x) {
                new Function(x)();
            }
            newFunc("enableSPSProfiling();foo();");
        }
    } else {
        lfRunTypeId =
        parseInt(3);
    }
}
Whiteboard: [jsbugmon:update]
Variants of this testcase (during reduction) assert at:

Assertion failure: (attempts_->append(OptimizationAttempt(strategy, outcome))), at jit/shared/CodeGenerator-shared.cpp

Assertion failure: length() % sizeof(uint32_t) == 0, at jit/CompactBuffer.h
Summary: Assertion failure: nativeOffset >= entry.endOffset.offset(), at jit/shared/CodeGenerator-shared.cpp → Assertion failure: nativeOffset >= entry.endOffset.offset(), at jit/shared/CodeGenerator-shared.cpp or Assertion failure: (attempts_->append(OptimizationAttempt(strategy, outcome))), or Assertion failure: length() % sizeof(uint32_t) == 0,
(lldb) bt 5
* thread #1: tid = 0x234eac, 0x00000001003cdc88 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::ReadTempAttemptsVectorOp::operator(this=<unavailable>, strategy=<unavailable>, outcome=<unavailable>)(JS::TrackedStrategy, JS::TrackedOutcome) + 88 at CodeGenerator-shared.cpp:941, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001003cdc88 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::ReadTempAttemptsVectorOp::operator(this=<unavailable>, strategy=<unavailable>, outcome=<unavailable>)(JS::TrackedStrategy, JS::TrackedOutcome) + 88 at CodeGenerator-shared.cpp:941
    frame #1: 0x000000010032a972 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::IonTrackedOptimizationsAttempts::forEach(this=0x00007fff5fbf8698, op=0x00007fff5fbf8688) + 98 at OptimizationTracking.cpp:487
    frame #2: 0x00000001003c4cf1 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGeneratorShared::verifyCompactTrackedOptimizationsMap(this=0x0000000104bdf000, code=0x0000000103d8d490, numRegions=<unavailable>, unique=0x00007fff5fbf8890, allTypes=0x0000000104b8c6a0) + 1057 at CodeGenerator-shared.cpp:1046
    frame #3: 0x00000001003c4547 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap(this=0x0000000104bdf000, cx=<unavailable>, code=0x0000000103d8d490, allTypes=0x0000000104b8c6a0) + 791 at CodeGenerator-shared.cpp:915
    frame #4: 0x00000001001a3a18 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGenerator::link(this=0x0000000104bdf000, cx=0x0000000102c45400, constraints=<unavailable>) + 984 at CodeGenerator.cpp:8080
(lldb)
(lldb) bt 5
* thread #1: tid = 0x2351ec, 0x0000000100359304 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CompactBufferWriter::writeNativeEndianUint32_t(this=<unavailable>, value=<unavailable>) + 196 at CompactBuffer.h:170, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100359304 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CompactBufferWriter::writeNativeEndianUint32_t(this=<unavailable>, value=<unavailable>) + 196 at CompactBuffer.h:170
    frame #1: 0x000000010032c22a js-dbg-64-dm-darwin-1a157155a4fe`WriteOffsetsTable(writer=0x00007fff5fbf8840, offsets=0x00007fff5fbf8550, tableOffsetp=0x00007fff5fbf8834) + 266 at OptimizationTracking.cpp:830
    frame #2: 0x000000010032bc3f js-dbg-64-dm-darwin-1a157155a4fe`js::jit::WriteIonTrackedOptimizationsTable(cx=0x0000000102c45400, writer=0x00007fff5fbf8840, start=0x00007fff5fbf8928, end=<unavailable>, unique=0x00007fff5fbf8890, numRegions=0x00007fff5fbf883c, regionTableOffsetp=<unavailable>, typesTableOffsetp=<unavailable>, optimizationTableOffsetp=<unavailable>, allTypes=<unavailable>) + 2383 at OptimizationTracking.cpp:1003
    frame #3: 0x00000001003c446c js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGeneratorShared::generateCompactTrackedOptimizationsMap(this=0x0000000105b0b000, cx=0x0000000102c45400, code=0x0000000102d8d490, allTypes=0x000000010598df60) + 572 at CodeGenerator-shared.cpp:887
    frame #4: 0x00000001001a3a18 js-dbg-64-dm-darwin-1a157155a4fe`js::jit::CodeGenerator::link(this=0x0000000105b0b000, cx=0x0000000102c45400, constraints=<unavailable>) + 984 at CodeGenerator.cpp:8080
(lldb)
I wasn't able to reproduce this at all, but I can see what is going wrong.  This is another case where we have assertions that are not true if we've hit OOM.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8676237 - Flags: review?(jdemooij)
Comment on attachment 8676237 [details] [diff] [review]
bug1216277-optimisation-tracking-oom

Review of attachment 8676237 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8676237 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/c957a5397000
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: