Closed
Bug 1255954
Opened 8 years ago
Closed 8 years ago
Assertion failure: !blockDepth_, at js/src/asmjs/AsmJS.cpp:2636 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: luke)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
2.10 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 3a11a57b43aa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-offthread-compile=off):
const USE_ASM = '"use asm";';
function asmCompile() {
var f = Function.apply(null, arguments);
}
oomTest(() => {
try {
function f(b) {}
} catch (exc0) {}
f(asmCompile(USE_ASM + "function f() { var i=42; return i|0; for(;1;) {} return 0 } return f"));
});
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000058cd42 in ~FunctionValidator (this=0x7fffffff6d30, __in_chrg=<optimized out>) at js/src/asmjs/AsmJS.cpp:2636
#0 0x000000000058cd42 in ~FunctionValidator (this=0x7fffffff6d30, __in_chrg=<optimized out>) at js/src/asmjs/AsmJS.cpp:2636
#1 CheckFunction (m=...) at js/src/asmjs/AsmJS.cpp:6777
#2 0x000000000058ed80 in CheckFunctions (m=...) at js/src/asmjs/AsmJS.cpp:6803
#3 CheckModule (cx=cx@entry=0x7ffff6907800, parser=..., stmtList=stmtList@entry=0x7ffff698a318, moduleObj=..., moduleObj@entry=..., time=time@entry=0x7fffffff8530, slowFuncs=slowFuncs@entry=0x7fffffff85d0) at js/src/asmjs/AsmJS.cpp:7014
#4 0x000000000058f862 in js::CompileAsmJS (cx=0x7ffff6907800, parser=..., stmtList=stmtList@entry=0x7ffff698a318, validated=validated@entry=0x7fffffff87f0) at js/src/asmjs/AsmJS.cpp:8291
[...]
#47 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff698a920 140737330587936
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff70e0 140737488318688
rsp 0x7fffffff6b70 140737488317296
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff6930 140737488316720
r11 0x7ffff6c27ee0 140737333329632
r12 0x7ffff698a000 140737330585600
r13 0x7ffff698a3c0 140737330586560
r14 0x0 0
r15 0x7fffffff7370 140737488319344
rip 0x58cd42 <CheckFunction(ModuleValidator&)+7346>
=> 0x58cd42 <CheckFunction(ModuleValidator&)+7346>: movl $0xa4c,0x0
0x58cd4d <CheckFunction(ModuleValidator&)+7357>: callq 0x4a6740 <abort()>
|
Assignee | |
Comment 1•8 years ago
|
||
Spurious assertion failure on simulated OOM. Easy to fix by moving asserts to the finish().
|
||
Comment 2•8 years ago
|
||
Comment on attachment 8729861 [details] [diff] [review] move-asserts Review of attachment 8729861 [details] [diff] [review]: ----------------------------------------------------------------- Thanks, please add a test.
Attachment #8729861 -
Flags: review?(bbouvier) → review+
|
|
||
Comment 5•8 years ago
|
||
Landed a followup to fix failing tests. The new test was missing: >if (!('oomTest' in this)) > quit(); Followup change: https://hg.mozilla.org/integration/mozilla-inbound/rev/96b5a4999015 Push with followup: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=96b5a4999015 Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=8d78cce3934e
|
|
Assignee | |
Comment 6•8 years ago
|
||
Thanks!
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8d78cce3934e https://hg.mozilla.org/mozilla-central/rev/96b5a4999015
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•