Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h

RESOLVED FIXED in Firefox 45

Status

()

Core
JavaScript Engine: JIT
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla45
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/oomInParseAsmJS.js
oomTest(function() {
    eval("\
        function g() {\
            \"use asm\";\
            function f(d) {\
                d = +d;\
                print(.0 + d);\
            }\
        }\
    ")
})

asserts js debug shell on m-c changeset faf815a0fa9b with --fuzzing-safe --no-threads --no-ion --no-baseline --ion-check-range-analysis at Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h

Configure options:

LD=ld CROSS_COMPILE=1 CC="clang -Qunused-arguments -msse2 -mfpmath=sse -arch i386" RANLIB=ranlib CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse -arch i386" AS=$CC AR=ar STRIP="strip -x -S" HOST_CC="clang -Qunused-arguments -msse2 -mfpmath=sse" AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 HOST_CXX="clang++ -Qunused-arguments -msse2 -mfpmath=sse" sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=i386-apple-darwin9.2.0 --enable-macos-target=10.5 --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --32" -r faf815a0fa9b

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce
user:        Jon Coppeard
date:        Tue Oct 13 13:37:07 2015 +0100
summary:     Bug 1212469 - Make oomTest() into a shell function r=nbp

Jon, is bug 1212469 a likely regressor? (I tried removing oomTest but it did not seem to reproduce)
Flags: needinfo?(jcoppeard)
(Reporter)

Comment 1

2 years ago
Created attachment 8687402 [details]
stack

(lldb) bt 5
* thread #1: tid = 0xc235a, 0x0051f67b js-dbg-32-dm-darwin-faf815a0fa9b`mozilla::VectorBase<js::jit::MacroAssemblerX86::Double, 0ul, js::SystemAllocPolicy, js::Vector<js::jit::MacroAssemblerX86::Double, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) + 187 at Vector.h:438, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0051f67b js-dbg-32-dm-darwin-faf815a0fa9b`mozilla::VectorBase<js::jit::MacroAssemblerX86::Double, 0ul, js::SystemAllocPolicy, js::Vector<js::jit::MacroAssemblerX86::Double, 0ul, js::SystemAllocPolicy> >::operator[](this=<unavailable>, aIndex=<unavailable>) + 187 at Vector.h:438
    frame #1: 0x00502375 js-dbg-32-dm-darwin-faf815a0fa9b`js::jit::MacroAssemblerX86::getDouble(this=<unavailable>, d=<unavailable>) + 261 at MacroAssembler-x86.cpp:112
    frame #2: 0x00502419 js-dbg-32-dm-darwin-faf815a0fa9b`js::jit::MacroAssemblerX86::loadConstantDouble(this=0x02ca7000, d=<unavailable>, dest=(reg_ = xmm0, type_ = Double, isInvalid_ = false)) + 57 at MacroAssembler-x86.cpp:122
    frame #3: 0x001f4de5 js-dbg-32-dm-darwin-faf815a0fa9b`js::jit::CodeGenerator::emitAssertRangeD(this=<unavailable>, r=<unavailable>, input=(reg_ = xmm1, type_ = Double, isInvalid_ = false), temp=(reg_ = xmm0, type_ = Double, isInvalid_ = false)) + 885 at CodeGenerator.cpp:9899
    frame #4: 0x001f5855 js-dbg-32-dm-darwin-faf815a0fa9b`js::jit::CodeGenerator::visitAssertRangeD(this=<unavailable>, ins=<unavailable>) + 165 at CodeGenerator.cpp:9981
(lldb)
(Reporter)

Updated

2 years ago
Blocks: 1100132
(Assignee)

Updated

2 years ago
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 2

2 years ago
Created attachment 8687969 [details] [diff] [review]
bug-1224710-get-double-oom

MacroAssemblerX86::getDouble() can fail to append the double to the vector but successfully add the index to the map.  Fixed for that method and the same issue for float/simd data.  This already got fixed for x64.
Attachment #8687969 - Flags: review?(jdemooij)
Comment on attachment 8687969 [details] [diff] [review]
bug-1224710-get-double-oom

Review of attachment 8687969 [details] [diff] [review]:
-----------------------------------------------------------------

Stealing the review, as it's subsumed by bug 1223355 I think. r=me for landing the test though! Thanks.
Attachment #8687969 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 4

2 years ago
(In reply to Benjamin Bouvier [:bbouvier] from comment #3)
Great, nice to see the common code factored out too.

Comment 5

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c80578717b7c
(Assignee)

Comment 6

2 years ago
Backed out for SM(arm) failures on Linux.

https://hg.mozilla.org/integration/mozilla-inbound/rev/3ab0e8525e0c
(Assignee)

Comment 7

2 years ago
Created attachment 8690081 [details] [diff] [review]
bug1224710-fix-oom-handling

Adding this test found some more unrelated OOM handling issues.  Here's a fix for these.  It looks like we already have the equivalent changes for X86.
Attachment #8690081 - Flags: review?(benj)
Comment on attachment 8690081 [details] [diff] [review]
bug1224710-fix-oom-handling

Review of attachment 8690081 [details] [diff] [review]:
-----------------------------------------------------------------

Indeed, thank you for the patch.
Attachment #8690081 - Flags: review?(benj) → review+

Comment 9

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b3a2844b7569
https://hg.mozilla.org/integration/mozilla-inbound/rev/1fdfc96fd7bf

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b3a2844b7569
https://hg.mozilla.org/mozilla-central/rev/1fdfc96fd7bf
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox45: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.