Closed Bug 1248202 Opened 8 years ago Closed 8 years ago

Assertion failure: hasOptimizations(), at js/src/jit/CompileInfo.h:168

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

OOM_VERBOSE=1 stack from m-c rev d719ac4bcbec
5.05 KB, text/plain
Details
Handle an OOM case in optimization tracking.
1.51 KB, patch
jandem
: review+
gkw
: feedback+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision d719ac4bcbec (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
enableSPSProfilingWithSlowAssertions();
// Adapted from randomly chosen test: js/src/jit-test/tests/modules/eval-module-oom.js
let x = {};
setModuleResolveHook(function(m, s) {
    return x[s];
})
let y = "export default 0; export function f(){}";
let z = "import x from 'a'";
oomTest(() => {
    x['a'] = parseModule(y);
    let b = x[''] = parseModule(z);
    b.declarationInstantiation();
    throw 42;
})

Backtrace:

0   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0040531b js::jit::IonBuilder::startTrackingOptimizations() + 459 (CompileInfo.h:168)
1   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x002b2ca1 js::jit::IonBuilder::jsop_getprop(js::PropertyName*) + 33 (IonBuilder.cpp:10982)
2   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x002a51cd js::jit::IonBuilder::inspectOpcode(JSOp) + 1117 (IonBuilder.cpp:2016)
3   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x002a269a js::jit::IonBuilder::traverseBytecode() + 634 (IonBuilder.cpp:1522)
4   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0029d417 js::jit::IonBuilder::build() + 2039 (IonBuilder.cpp:918)
5   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0027efa5 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 3141 (Ion.cpp:2195)
6   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0027df63 js::jit::CanEnter(JSContext*, js::RunState&) + 387 (Ion.cpp:2526)
7   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0081f5d2 js::RunScript(JSContext*, js::RunState&) + 274 (Interpreter.cpp:402)
8   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x00837daf js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 687 (Interpreter.cpp:493)
9   js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527)
10  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x001d2e0f js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2735 (BaselineIC.cpp:6136)
11  ???                           	0x01ddce2e 0 + 31313454
12  ???                           	0x0310f4a0 0 + 51442848
13  ???                           	0x01dd6c5c 0 + 31288412
14  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x001e336b EnterBaseline(JSContext*, js::jit::EnterJitData&) + 683 (BaselineJIT.cpp:149)
15  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x001e2ec9 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 249 (BaselineJIT.cpp:185)
16  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0081f60f js::RunScript(JSContext*, js::RunState&) + 335 (Interpreter.cpp:415)
17  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x00837daf js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 687 (Interpreter.cpp:493)
18  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527)
19  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0058fb3c JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) + 540 (jsapi.cpp:2856)
20  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x007fa2b9 OOMTest(JSContext*, unsigned int, JS::Value*) + 873 (TestingFunctions.cpp:1210)
21  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x008534dd js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 221 (jscntxtinlines.h:236)
22  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x00837dfc js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 764 (Interpreter.cpp:463)
23  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527)
24  js-dbg-32-dm-clang-darwin-d719ac4bcbec	0x001d2e0f js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2735 (BaselineIC.cpp:6136)
25  ???                           	0x01ddce2e 0 + 31313454
26  ???                           	0x03198db8 0 + 52006328

This seems to only reproduce on 32-bit shells.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fd69e842ed49
parent:      274349:6499724b05d0
user:        Jon Coppeard
date:        Thu Nov 26 11:49:54 2015 +0000
summary:     Bug 1227533 - Factor out dummy module resolve hook from tests r=shu

Jon, is bug 1227533 a likely regressor?
Blocks: 1227533
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e355cacefc88).
Not related to that bug, but thanks to the stack in comment 2 I can see what the problem is.  IonBuilder::trackOptimizationAttemptUnchecked() calls setOptimizations(nullptr) on the BytecodeSite if we hit OOM, but that will cause subsequent calls to optimizations() to assert.  Maybe we need to disable optimisation tracking if we hit OOM, or take account of the the possibility that this may be null.
Flags: needinfo?(jcoppeard)
Flags: needinfo?(shu)
So I can't reproduce the bug, but based on the stacks this looks like the
correct fix. Can someone who was able to reproduce the bug try this patch to
confirm fix?
Attachment #8719965 - Flags: feedback?(gary)
Flags: needinfo?(shu)
Comment on attachment 8719965 [details] [diff] [review]
Handle an OOM case in optimization tracking.

Yes, this fix works. Thanks!
Flags: needinfo?(shu)
Attachment #8719965 - Flags: feedback?(gary) → feedback+
Attachment #8719965 - Flags: review?(jdemooij)
Flags: needinfo?(shu)
Attachment #8719965 - Flags: review?(jdemooij) → review+
Shu-yu, is this ready for landing?
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4b043b29bb04
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: