Assertion failure: !cx->isExceptionPending(), at js/src/builtin/TestingFunctions.cpp:1170

RESOLVED FIXED in Firefox 46

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla46
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 affected, firefox46 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 412e4d7ce98c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug1022081.js
enableSPSProfiling();
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1214006.js
oomTest(function() {
    eval("(function() {})()")
});

Backtrace:

0   js-dbg-64-dm-darwin-412e4d7ce98c	0x00000001006fae28 OOMTest(JSContext*, unsigned int, JS::Value*) + 1320 (TestingFunctions.cpp:1170)
1   js-dbg-64-dm-darwin-412e4d7ce98c	0x0000000100727ec2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236)
2   js-dbg-64-dm-darwin-412e4d7ce98c	0x00000001007286fb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:496)
3   js-dbg-64-dm-darwin-412e4d7ce98c	0x000000010018963b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6155)
4   ???                           	0x0000000101db5f6b 0 + 4326121323
5   ???                           	0x0000000103d218c8 0 + 4359067848
(Reporter)

Comment 1

2 years ago
With help from :jonco, we looked at this using the technique in:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips#How_to_debug_oomTest%28%29_failures

and got:

    frame #5: 0x00000001001eda14 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) [inlined] unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(this=0x0000000102b69400, numElems=72) + 8 at MallocProvider.h:90
    frame #6: 0x00000001001eda0c js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) [inlined] mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>* js::MallocProvider<js::ExclusiveContext>::new_<mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy> >(this=0x0000000102b69400) at MallocProvider.h:190
    frame #7: 0x00000001001eda0c js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(this=0x000000010460a000, cx=0x0000000102b69400, constraints=<unavailable>) + 1228 at CodeGenerator.cpp:8204
    frame #8: 0x0000000100268ab5 js-dbg-64-dm-darwin-412e4d7ce98c`LinkCodeGen(cx=0x0000000102b69400, builder=0x0000000103fe71c0, codegen=0x000000010460a000, scripts=MutableHandle<js::TraceableVector<JSScript *, 0, js::TempAllocPolicy, js::DefaultGCPolicy<JSScript *> > > @ 0x00007fff5fbfbf80, info=0x00007fff5fbfc140) + 293 at Ion.cpp:566
    frame #9: 0x0000000100229669 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 559 at Ion.cpp:2270
    frame #10: 0x000000010022943a js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::Compile(cx=0x0000000102b69400, script=<unavailable>, osrFrame=<unavailable>, osrPc=<unavailable>, constructing=true, forceRecompile=<unavailable>) + 4170 at Ion.cpp:2430
    frame #11: 0x0000000100229fa2 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CanEnter(cx=0x0000000102b69400, state=0x00007fff5fbfc478) + 370 at Ion.cpp:2593
    frame #12: 0x0000000100710e51 js-dbg-64-dm-darwin-412e4d7ce98c`js::RunScript(cx=0x0000000102b69400, state=0x00007fff5fbfc478) + 289 at Interpreter.cpp:367
    frame #13: 0x0000000100727f29 js-dbg-64-dm-darwin-412e4d7ce98c`js::Invoke(cx=0x0000000102b69400, args=<unavailable>, construct=<unavailable>) + 889 at Interpreter.cpp:462
    frame #14: 0x00000001007286fb js-dbg-64-dm-darwin-412e4d7ce98c`js::Invoke(cx=0x0000000102b69400, thisv=0x00007fff5fbfc770, fval=<unavailable>, argc=<unavailable>, argv=<unavailable>, rval=<unavailable>) + 555 at Interpreter.cpp:496
    frame #15: 0x000000010018963b js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::DoCallFallback(cx=0x0000000102b69400, frame=0x00007fff5fbfc978, stub_=0x0000000104606220, argc=0, vp=0x00007fff5fbfc938, res=<unavailable>) + 2811 at BaselineIC.cpp:6155
    frame #16: 0x0000000101db5f6b

We used hg blame on CodeGenerator.cpp and the following region of code near:

https://hg.mozilla.org/mozilla-central/annotate/412e4d7ce98ca4dbc37de133d0f26d7e1a59946f/js/src/jit/CodeGenerator.cpp#l8205

might be involved, and its corresponding changeset is:

https://hg.mozilla.org/mozilla-central/rev/98498bec2d96

Shu-yu, is bug 1030389 a likely regressor?
Blocks: 1030389
Has Regression Range: --- → yes
Has STR: --- → yes
Flags: needinfo?(shu)

Comment 2

2 years ago
Created attachment 8698755 [details] [diff] [review]
Correctly recover if allocating tracked optimizations go OOM.
Attachment #8698755 - Flags: review?(jcoppeard)

Updated

2 years ago
Flags: needinfo?(shu)
Comment on attachment 8698755 [details] [diff] [review]
Correctly recover if allocating tracked optimizations go OOM.

Review of attachment 8698755 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.

::: js/src/jit-test/tests/profiler/bug1231925.js
@@ +1,2 @@
> +enableSPSProfiling();
> +oomTest(function() {

This will need an |if (!('oomTest' in this))) quit();| line as oomTest() is not present in opt builds.
Attachment #8698755 - Flags: review?(jcoppeard) → review+

Comment 4

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/fadbd842107b

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/fadbd842107b
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.