Closed
Bug 1252903
Opened 9 years ago
Closed 9 years ago
Assertion failure: block->entryResumePoint() != nullptr, at js/src/jit/IonAnalysis.cpp:2310 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
13.21 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager):
evaluate(`
oomTest(() => {
offThreadCompileScript(\`
function f(x) {
return 1 + f(x.toString());
}
f(5);
\`);
runOffThreadScript();
});
`);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000006c94dd in js::jit::AssertBasicGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2309
#0 0x00000000006c94dd in js::jit::AssertBasicGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2309
#1 0x0000000000691107 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff01ae270) at js/src/jit/Ion.cpp:1516
#2 0x0000000000696027 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff01ae270) at js/src/jit/Ion.cpp:1992
#3 0x000000000069969f in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7fffef212d90, baselineFrame=baselineFrame@entry=0x7ffffffcd6b8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2263
#4 0x0000000000699d20 in js::jit::Compile (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7ffffffcd6b8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2433
#5 0x000000000069a5aa in BaselineCanEnterAtEntry (frame=0x7ffffffcd6b8, script=..., cx=0x7ffff6907800) at js/src/jit/Ion.cpp:2557
#6 js::jit::IonCompileScriptForBaseline (cx=0x7ffff6907800, frame=0x7ffffffcd6b8, pc=<optimized out>) at js/src/jit/Ion.cpp:2681
#7 0x00007ffff7feb8c5 in ?? ()
[...]
#127 0x00007fffffff8bc0 in ?? ()
rax 0x0 0
rbx 0x7ffff01afc78 140737221688440
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7ffffffccf80 140737488146304
rsp 0x7ffffffccef0 140737488146160
r8 0x7ffff7fdf7c0 140737354004416
r9 0x80000000000 8796093022208
r10 0x7ffffffcccb0 140737488145584
r11 0x7ffff6c27ee0 140737333329632
r12 0x7ffff01b0eb8 140737221693112
r13 0x7ffff01b0910 140737221691664
r14 0x0 0
r15 0x7ffffffccf40 140737488146240
rip 0x6c94dd <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4141>
=> 0x6c94dd <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4141>: movl $0x906,0x0
0x6c94e8 <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4152>: callq 0x4a6780 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20151209185239" and the hash "6fce35b1c9877805e071baa91136f372091ccc66".
The "bad" changeset has the timestamp "20151209195945" and the hash "151ce2b0e3f6b73505be35561f148678577dcbcb".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6fce35b1c9877805e071baa91136f372091ccc66&tochange=151ce2b0e3f6b73505be35561f148678577dcbcb
Jan, is bug 1225396 a likely regressor? (or does one need a OOM_VERBOSE stack)
Blocks: 1225396
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 3•9 years ago
|
||
Missing an OOM check.
I also added MOZ_WARN_UNUSED_RESULT to various fallible method in JIT code, but those didn't uncover any other issues.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8727778 -
Flags: review?(jcoppeard)
|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Jan, is bug 1225396 a likely regressor? (or does one need a OOM_VERBOSE
> stack)
Bug 1225396 is unrelated. Somehow a lot of OOM bugs involving offThreadCompileScript seem to incorrectly bisect to that bug..
No longer blocks: 1225396
|
||
Updated•9 years ago
|
Attachment #8727778 -
Flags: review?(jcoppeard) → review+
|
||
Comment 6•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
|
||
Comment 7•9 years ago
|
||
This is "just a null crash" on OOM. Jan says it's not worth uplifting. WONTFIX 47.
You need to log in
before you can comment on or make changes to this bug.
Description
•