Closed Bug 1252903 Opened 8 years ago Closed 8 years ago

Assertion failure: block->entryResumePoint() != nullptr, at js/src/jit/IonAnalysis.cpp:2310 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla48
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
13.21 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision e15383656900 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager):

evaluate(`
  oomTest(() => {
    offThreadCompileScript(\`
        function f(x) {
            return 1 + f(x.toString());
        }
        f(5);
        \`);
    runOffThreadScript();
  });
`);



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000006c94dd in js::jit::AssertBasicGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2309
#0  0x00000000006c94dd in js::jit::AssertBasicGraphCoherency (graph=...) at js/src/jit/IonAnalysis.cpp:2309
#1  0x0000000000691107 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff01ae270) at js/src/jit/Ion.cpp:1516
#2  0x0000000000696027 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff01ae270) at js/src/jit/Ion.cpp:1992
#3  0x000000000069969f in js::jit::IonCompile (cx=cx@entry=0x7ffff6907800, script=script@entry=0x7fffef212d90, baselineFrame=baselineFrame@entry=0x7ffffffcd6b8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2263
#4  0x0000000000699d20 in js::jit::Compile (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7ffffffcd6b8, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2433
#5  0x000000000069a5aa in BaselineCanEnterAtEntry (frame=0x7ffffffcd6b8, script=..., cx=0x7ffff6907800) at js/src/jit/Ion.cpp:2557
#6  js::jit::IonCompileScriptForBaseline (cx=0x7ffff6907800, frame=0x7ffffffcd6b8, pc=<optimized out>) at js/src/jit/Ion.cpp:2681
#7  0x00007ffff7feb8c5 in ?? ()
[...]
#127 0x00007fffffff8bc0 in ?? ()
rax	0x0	0
rbx	0x7ffff01afc78	140737221688440
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7ffffffccf80	140737488146304
rsp	0x7ffffffccef0	140737488146160
r8	0x7ffff7fdf7c0	140737354004416
r9	0x80000000000	8796093022208
r10	0x7ffffffcccb0	140737488145584
r11	0x7ffff6c27ee0	140737333329632
r12	0x7ffff01b0eb8	140737221693112
r13	0x7ffff01b0910	140737221691664
r14	0x0	0
r15	0x7ffffffccf40	140737488146240
rip	0x6c94dd <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4141>
=> 0x6c94dd <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4141>:	movl   $0x906,0x0
   0x6c94e8 <js::jit::AssertBasicGraphCoherency(js::jit::MIRGraph&)+4152>:	callq  0x4a6780 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151209185239" and the hash "6fce35b1c9877805e071baa91136f372091ccc66".
The "bad" changeset has the timestamp "20151209195945" and the hash "151ce2b0e3f6b73505be35561f148678577dcbcb".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6fce35b1c9877805e071baa91136f372091ccc66&tochange=151ce2b0e3f6b73505be35561f148678577dcbcb
Jan, is bug 1225396 a likely regressor? (or does one need a OOM_VERBOSE stack)
Blocks: 1225396
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 
Missing an OOM check.

I also added MOZ_WARN_UNUSED_RESULT to various fallible method in JIT code, but those didn't uncover any other issues.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8727778 - Flags: review?(jcoppeard)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Jan, is bug 1225396 a likely regressor? (or does one need a OOM_VERBOSE
> stack)

Bug 1225396 is unrelated. Somehow a lot of OOM bugs involving offThreadCompileScript seem to incorrectly bisect to that bug..
No longer blocks: 1225396
Attachment #8727778 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/9c01878c2e8a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
This is "just a null crash" on OOM. Jan says it's not worth uplifting. WONTFIX 47.
status-firefox47: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: