Closed
Bug 1254172
Opened 9 years ago
Closed 9 years ago
Assertion failure: !unknownProperties(), at js/src/vm/TypeInference-inl.h:1043 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
People
(Reporter: decoder, Assigned: efaust)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file)
|
2.62 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-check-range-analysis):
var lfcode = new Array();
var lfRunTypeId = -1;
lfcode.push("");
lfcode.push("");
lfcode.push("3");
lfcode.push(`
oomTest(function() {
eval(\`var [r, g, b] = [1, 1, 1];
wm.set({}, 'FOO').get(log, 'watcher');\`);
});
`);
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file);
}
function loadFile(lfVarx) {
switch (lfRunTypeId) {
case 1: eval(lfVarx);
default: evaluate(lfVarx);
}
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000062ae10 in js::ObjectGroup::maybeGetProperty (this=0x7ffff7e66a30, id=...) at js/src/vm/TypeInference-inl.h:1043
#0 0x000000000062ae10 in js::ObjectGroup::maybeGetProperty (this=0x7ffff7e66a30, id=...) at js/src/vm/TypeInference-inl.h:1043
#1 0x0000000000bc37c6 in PropagatePropertyTypes (cx=cx@entry=0x7ffff6907800, id=..., id@entry=..., oldGroup=oldGroup@entry=0x7ffff7e66a30, newGroup=newGroup@entry=0x7ffff7e66c40) at js/src/vm/UnboxedObject.cpp:387
#2 0x0000000000bc714f in js::UnboxedLayout::makeNativeGroup (cx=cx@entry=0x7ffff6907800, group=0x7ffff7e66a30) at js/src/vm/UnboxedObject.cpp:530
#3 0x0000000000bcdf01 in js::UnboxedPlainObject::convertToNative (cx=cx@entry=0x7ffff6907800, obj=0x7ffff4801640) at js/src/vm/UnboxedObject.cpp:561
#4 0x0000000000bce41b in js::UnboxedPlainObject::obj_setProperty (cx=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/UnboxedObject.cpp:831
#5 0x0000000000932d46 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907800, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1046
#6 0x00000000006282d8 in js::SetProperty (cx=cx@entry=0x7ffff6907800, obj=..., obj@entry=..., id=..., id@entry=..., v=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1491
#7 0x00000000006206aa in PutProperty (strict=false, v=..., id=..., obj=..., cx=0x7ffff6907800) at js/src/jsobj.h:934
#8 InitPropertyOperation (rhs=..., id=..., obj=..., op=<optimized out>, cx=0x7ffff6907800) at js/src/vm/Interpreter-inl.h:343
#9 js::jit::DoSetPropFallback (cx=0x7ffff6907800, frame=<optimized out>, stub_=<optimized out>, lhs=..., rhs=..., res=...) at js/src/jit/BaselineIC.cpp:4687
#10 0x00007ffff7ff1c2f in ?? ()
[...]
#43 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff7e66a30 140737352460848
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff97a0 140737488328608
rsp 0x7fffffff9770 140737488328560
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9530 140737488327984
r11 0x7ffff6c27ee0 140737333329632
r12 0x7ffff7e1cf58 140737352159064
r13 0x27ff0001 671023105
r14 0x7fffffff97e0 140737488328672
r15 0x7ffff7e1cf58 140737352159064
rip 0x62ae10 <js::ObjectGroup::maybeGetProperty(jsid)+880>
=> 0x62ae10 <js::ObjectGroup::maybeGetProperty(jsid)+880>: movl $0x413,0x0
0x62ae1b <js::ObjectGroup::maybeGetProperty(jsid)+891>: callq 0x4a6f30 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20160212031715" and the hash "c1e09305f827211d32ff6a7d54be608d52710232".
The "bad" changeset has the timestamp "20160212041815" and the hash "966f47ed2f25eb54fb1f967d4443b3c2b8b63220".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c1e09305f827211d32ff6a7d54be608d52710232&tochange=966f47ed2f25eb54fb1f967d4443b3c2b8b63220
Guessing the regression window isn't accurate due to intermittent OOM.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/966f47ed2f25
user: Joel Maher
date: Fri Feb 12 04:11:10 2016 -0800
summary: backout Bug 1221144 for perf regression
autoBisect keeps pointing to the backout of a patch of bug 1221144, so setting needinfo? from Jason who wrote the patches for bug 1221144.
Flags: needinfo?(jorendorff)
|
||
Comment 4•9 years ago
|
||
I don't think I will be re-landing the patches that bounced in bug 1221144. They lost on speed and memory usage, and I don't think it's easily fixed.
So I will have to look at this for real.
|
|
||
Updated•9 years ago
|
Assignee: nobody → jorendorff
Flags: needinfo?(jorendorff)
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 5•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision afd82f887093).
|
Assignee | |
Comment 6•9 years ago
|
||
I also cannot reproduce this.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
|
|
||
Comment 7•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 2b7c421063ad).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f88bfa306282
user: Greg Weng
date: Tue Apr 12 18:29:00 2016 +0200
summary: Bug 1198701 - ArrayIterator gets length property after iteration has finished. r=till
This iteration took 0.530 seconds to run.
|
|
Assignee | |
Comment 8•9 years ago
|
||
OK, so, the "fix" bisected to above is just because we perturbed the self-hosted code that was tickling this assert in TI, but the potential remains.
Fix UnboxedLayout::makeNativeGroup to be robust in the face of the unboxed group having unknownProperties.
Assignee: jorendorff → efaustbmo
Status: NEW → ASSIGNED
Attachment #8748102 -
Flags: review?(jdemooij)
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8748102 [details] [diff] [review]
Fix
Review of attachment 8748102 [details] [diff] [review]:
-----------------------------------------------------------------
Makes sense, thanks for fixing.
Attachment #8748102 -
Flags: review?(jdemooij) → review+
|
||
Comment 10•9 years ago
|
||
|
||
Comment 11•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox49:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
|
||
Comment 12•9 years ago
|
||
Looks like 48 would also be affected. Is this worth uplifting to 48 aurora?
If not, let's go ahead and wontfix for 48 as well as for 47 (as it is getting late for beta uplifts)
|
|
Assignee | |
Comment 13•9 years ago
|
||
Normally I would say 'no', because this is just an OOM bug, but this one is slightly more insidious. Jan, what do you think?
Flags: needinfo?(efaustbmo) → needinfo?(jdemooij)
|
|
||
Comment 14•9 years ago
|
||
(In reply to Eric Faust [:efaust] from comment #13)
> Normally I would say 'no', because this is just an OOM bug, but this one is
> slightly more insidious. Jan, what do you think?
I agree it's not urgent, but an OOM here doesn't seem entirely impossible and it's a safe patch..
Flags: needinfo?(jdemooij)
You need to log in
before you can comment on or make changes to this bug.
Description
•