Closed
Bug 1238555
Opened 8 years ago
Closed 8 years ago
Assertion failure: &i.block() == scope->as<ClonedBlockObject>().staticScope(), at js/src/vm/Stack.cpp:164 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
14.66 KB,
text/plain
|
Details | |
4.99 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6020a4cb41a7 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): oomTest( function x() { try { eval('let ') } catch (ex) { (function() {})() } } ); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164 #0 0x0000000000b01c66 in AssertDynamicScopeMatchesStaticScope (cx=<optimized out>, script=<optimized out>, scope=0x7ffff7e8a0a0) at js/src/vm/Stack.cpp:164 #1 0x0000000000b02157 in js::InterpreterFrame::prologue (this=0x7ffff313d140, cx=cx@entry=0x7ffff6907800) at js/src/vm/Stack.cpp:246 #2 0x0000000000a3fcea in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2874 #3 0x0000000000a47187 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:424 #4 0x0000000000a474ac in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495 #5 0x0000000000a48da8 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:529 #6 0x00000000008daee4 in JS_CallFunction (cx=cx@entry=0x7ffff6907800, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2830 #7 0x0000000000a5f44e in OOMTest (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7ffff313d0a0) at js/src/builtin/TestingFunctions.cpp:1196 #8 0x0000000000a4a842 in js::CallJSNative (cx=0x7ffff6907800, native=0xa5f1b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6918 rax 0x0 0 rbx 0x1b8dfc0 28893120 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc210 140737488339472 rsp 0x7fffffffc170 140737488339312 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffbf30 140737488338736 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff7e67ca0 140737352465568 r13 0x1b8e100 28893440 r14 0x1b8e740 28895040 r15 0x7ffff7e8a0a0 140737352605856 rip 0xb01c66 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1350> => 0xb01c66 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1350>: movl $0xa4,0x0 0xb01c71 <AssertDynamicScopeMatchesStaticScope(JSContext*, JSScript*, JSObject*)+1361>: callq 0x4a2c00 <abort()>
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1
The bisection window probably isn't accurate. I've attached the OOM_VERBOSE=1 stack obtained via: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips#How_to_debug_oomTest%28%29_failures
This probably relates to something about shapes/protos/SavedStacks in the interpreter. Tentatively setting needinfo? from :Waldo, please feel free to forward the needinfo if necessary.
Flags: needinfo?(jwalden+bmo)
Comment 5•8 years ago
|
||
Terrence please take a look and assign appropriately
Flags: needinfo?(nihsanullah) → needinfo?(terrence)
Comment 7•8 years ago
|
||
The scope that's mismatching is the static block scope for the catch block. What's going on here is this. In the test, oomTest( function x() { try { eval('let ') } catch (ex) { (function() {})() } } ); there are 2 lazy functions created internally, |x| and the anonymous IIFE in the catch block. oomTest causes the compilation of the outer function to fail *after* the IIFE gets successfully delazified. So, the IIFE function now has a JSScript whose enclosing static scope is a StaticBlockScope of the catch block created during the failed compilation. But since the compilation of |x| failed, we try to recompile again, creating a new StaticBlockScope for the catch block. We don't bother re-delazifing the IIFE because it's already delazified. Now the scopes don't match up.
Flags: needinfo?(shu)
Comment 8•8 years ago
|
||
Attachment #8731438 -
Flags: review?(till)
Comment 9•8 years ago
|
||
Comment on attachment 8731438 [details] [diff] [review] Always update the LazyScript's static scope chain when emitting functions. Review of attachment 8731438 [details] [diff] [review]: ----------------------------------------------------------------- That's a pretty amazing corner case.
Attachment #8731438 -
Flags: review?(till) → review+
Comment 11•8 years ago
|
||
Backed out for opt-only jit-test failures. https://hg.mozilla.org/integration/mozilla-inbound/rev/56cc2557cdff https://treeherder.mozilla.org/logviewer.html#?job_id=24074969&repo=mozilla-inbound TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/gc/bug-1238555.js | /builds/slave/test/build/tests/jit-test/jit-test/tests/gc/bug-1238555.js:1:1 ReferenceError: oomTest is not defined (code 3, args "")
Comment 13•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ed7f0e024ce8
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment 14•8 years ago
|
||
Too late for assertion fixes in 46.
Updated•8 years ago
|
Flags: needinfo?(jwalden+bmo)
You need to log in
before you can comment on or make changes to this bug.
Description
•