1222675 - Assertion failure: result ([OOM] Is it really infallible?), at ds/LifoAlloc.h or Assertion failure: !unknownProperties(), at vm/TypeInference-inl.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The upcoming testcase asserts js debug shell on m-c changeset 42627d5369b3 with --fuzzing-safe --no-threads --ion-eager at Assertion failure: result ([OOM] Is it really infallible?), at ds/LifoAlloc.h

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 42627d5369b3

Due to the testcase becoming increasingly difficult to reduce, Jan, do you think you might be able to move this on to the right person, as a start?

(also cc'ing Jon since oomTest seems to be needed)

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: testcase

Reduced to ~100+ lines.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x93fb51, 0x000000010091652b js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(js::jit::AnyRegister, js::jit::CodePosition, js::jit::CodePosition) [inlined] js::LifoAlloc::allocInfallibleOrAssert(this=<unavailable>, n=72) + 52 at LifoAlloc.h:281, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010091652b js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(js::jit::AnyRegister, js::jit::CodePosition, js::jit::CodePosition) [inlined] js::LifoAlloc::allocInfallibleOrAssert(this=<unavailable>, n=72) + 52 at LifoAlloc.h:281
    frame #1: 0x00000001009164f7 js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(js::jit::AnyRegister, js::jit::CodePosition, js::jit::CodePosition) [inlined] js::jit::TempAllocator::allocateInfallible(this=<unavailable>, bytes=72) at JitAllocPolicy.h:40
    frame #2: 0x00000001009164f7 js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(js::jit::AnyRegister, js::jit::CodePosition, js::jit::CodePosition) [inlined] js::jit::TempObject::operator new(nbytes=72, alloc=<unavailable>) at JitAllocPolicy.h:174
    frame #3: 0x00000001009164f7 js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(js::jit::AnyRegister, js::jit::CodePosition, js::jit::CodePosition) [inlined] js::jit::LiveRange::New(alloc=<unavailable>, vreg=0) at BacktrackingAllocator.h:246
    frame #4: 0x00000001009164f7 js-dbg-64-dm-darwin-42627d5369b3`js::jit::BacktrackingAllocator::addInitialFixedRange(this=<unavailable>, reg=<unavailable>, from=<unavailable>, to=<unavailable>) + 135 at BacktrackingAllocator.cpp:462
(lldb)

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I have another assertion from a less-reduced testcase variant of comment 1 as:

Assertion failure: !unknownProperties(), at vm/TypeInference-inl.h

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: testcase for Assertion failure: !unknownProperties()

$ ~/shell-cache/js-dbg-64-dm-darwin-42627d5369b3/js-dbg-64-dm-darwin-42627d5369b3 --fuzzing-safe --no-threads --ion-eager nknownpro.js
ReportOutOfMemory called
ReportOutOfMemory called
..
/snip
..
ReportOutOfMemory called
ReportOutOfMemory called
Assertion failure: !unknownProperties(), at /Users/skywalker/trees/mozilla-central/js/src/vm/TypeInference-inl.h:999
Segmentation fault: 11

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack for Assertion failure: !unknownProperties()

(lldb) bt 5
* thread #1: tid = 0x940717, 0x00000001007fec9d js-dbg-64-dm-darwin-42627d5369b3`js::ObjectGroup::getProperty(this=<unavailable>, cx=<unavailable>, obj=0x0000000000000000, id=<unavailable>) + 1021 at TypeInference-inl.h:999, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001007fec9d js-dbg-64-dm-darwin-42627d5369b3`js::ObjectGroup::getProperty(this=<unavailable>, cx=<unavailable>, obj=0x0000000000000000, id=<unavailable>) + 1021 at TypeInference-inl.h:999
    frame #1: 0x00000001007d9f20 js-dbg-64-dm-darwin-42627d5369b3`js::ObjectGroup::addDefiniteProperties(this=0x0000000104e4a580, cx=0x0000000102d69400, shape=<unavailable>) + 480 at TypeInference.cpp:2678
    frame #2: 0x00000001007dee1c js-dbg-64-dm-darwin-42627d5369b3`js::PreliminaryObjectArrayWithTemplate::maybeAnalyze(this=0x0000000102f05030, cx=<unavailable>, group=<unavailable>, force=<unavailable>) + 684 at TypeInference.cpp:3502
    frame #3: 0x0000000100699bdf js-dbg-64-dm-darwin-42627d5369b3`js::NewObjectOperation(cx=0x0000000102d69400, script=<unavailable>, pc="[", newKind=GenericObject) + 303 at Interpreter.cpp:4610
    frame #4: 0x0000000101ef1525
(lldb)

Comment 6

[Nicolas B. Pierron [:nbp]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> The upcoming testcase asserts js debug shell on m-c changeset 42627d5369b3
> with --fuzzing-safe --no-threads --ion-eager at Assertion failure: result
> ([OOM] Is it really infallible?), at ds/LifoAlloc.h

So far this release-assert can only be triggered when we run out of ballast space.

Usually the fix is simple and is about adding a few lines to ensure that we have enough space in the loop which is making allocations.

Comment 7

[Nicolas B. Pierron [:nbp]]

So far I am unable to reproduce these issues on top of the latest mozilla-central (with Bug 1223023 patch)

Comment 8

[Benjamin Bouvier [:bbouvier] (inactive)]

Gary, see comment 7; can you trigger bisection for finding the fix, please?

Comment 9

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I couldn't reproduce with the testcase in comment 0 not with m-c tip nor the listed changeset, but I can reproduce with the listed changeset of the testcase in comment 4.

Good news is that it seems to be fixed in m-c tip rev d6d81655dd9e, so finding a fix range now.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: OOM_VERBOSE=1 stack

Here's the OOM_VERBOSE=1 stack for the testcase in comment 4.

Comment 11

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/52d7c9292ecf
user:        Jan de Mooij
date:        Sat Nov 21 14:33:13 2015 +0100
summary:     Bug 1132183 - Make |this| a real binding, remove lazy this computation. r=efaust,shu

Jan, is bug 1132183 a likely fix for the testcase in comment 4? (Hopefully the OOM_VERBOSE=1 stack in comment 10 can help you diagnose if the fix is correct?)

Comment 12

[Jan de Mooij [:jandem]]

Attachment: Patch

Here's a fix for the !unknownProperties() assertion failure.

In ObjectGroup::addDefiniteProperties, we have to return immediately after getProperty fails, because calling getProperty again will assert.

Comment 13

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/80271595e989

Comment 14

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/80271595e989

Comment 15

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/80271595e989