Closed
Bug 1263558
Opened 8 years ago
Closed 8 years ago
Assertion failure: isObject(), at dist/include/js/Value.h:1281
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox47 | --- | unaffected |
firefox48 | + | fixed |
firefox-esr45 | --- | unaffected |
People
(Reporter: gkw, Assigned: arai)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(8 files, 1 obsolete file)
2.99 KB,
text/plain
|
Details | |
21.93 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
28.40 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
4.71 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
2.25 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
1.73 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
1.66 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
5.83 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --baseline-eager --no-ion): // Adapted from randomly chosen test: js/src/tests/test262/intl402/ch11/11.3/11.3_a.js evalcx(` eval('\ var appendToActual = function(s) {};\ gczeal = function() {};\ gcslice = function() {};\ selectforgc = function() {};\ if (!("verifyprebarriers" in this)) {\ verifyprebarriers = function() {};\ }\ '); oomTest(() => eval('Array(..."")')); Intl.NumberFormat.prototype.format(0); `, newGlobal()); Backtrace: 0 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010002222d JS::Value::toObject() const + 189 (Value.h:1281) 1 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010085ae52 intrinsic_ObjectHasPrototype(JSContext*, unsigned int, JS::Value*) + 82 (RootingAPI.h:661) 2 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007d617e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 3 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d53e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464) 4 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 5 ??? 0x0000000102ad2b6b 0 + 4339870571 6 ??? 0x00000001050bfc88 0 + 4379638920 7 ??? 0x0000000102acbdc4 0 + 4339842500 8 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 9 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 10 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 11 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 12 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 13 ??? 0x0000000102ad2b6b 0 + 4339870571 14 ??? 0x00000001050bb678 0 + 4379620984 15 ??? 0x0000000102acbdc4 0 + 4339842500 16 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 17 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 18 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 19 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 20 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 21 ??? 0x0000000102ad2b6b 0 + 4339870571 22 ??? 0x00000001050b9a30 0 + 4379613744 23 ??? 0x0000000102acbdc4 0 + 4339842500 24 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 25 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 26 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 27 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 28 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 29 ??? 0x0000000102ad2b6b 0 + 4339870571 30 ??? 0x00000001050b0188 0 + 4379574664 31 ??? 0x0000000102acbdc4 0 + 4339842500 32 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 33 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 34 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 35 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 36 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 37 ??? 0x0000000102ad2b6b 0 + 4339870571 38 ??? 0x00000001050aef98 0 + 4379570072 39 ??? 0x0000000102acbdc4 0 + 4339842500 40 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 41 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 42 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 43 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 44 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 45 ??? 0x0000000102ad2b6b 0 + 4339870571 46 ??? 0x00000001050ade18 0 + 4379565592 47 ??? 0x0000000102acbdc4 0 + 4339842500 48 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 49 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 50 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 51 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 52 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 53 ??? 0x0000000102ad2b6b 0 + 4339870571 54 ??? 0x00000001050ac538 0 + 4379559224 55 ??? 0x0000000102acbdc4 0 + 4339842500 56 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 57 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 58 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 59 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 60 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 61 ??? 0x0000000102ad2b6b 0 + 4339870571 62 ??? 0x00000001050aa760 0 + 4379551584 63 ??? 0x0000000102acbdc4 0 + 4339842500 64 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 65 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 66 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 67 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 68 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 69 ??? 0x0000000102ad2b6b 0 + 4339870571 70 ??? 0x000000010509d5c0 0 + 4379497920 71 ??? 0x0000000102acbdc4 0 + 4339842500 72 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 73 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 74 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 75 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 76 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 77 ??? 0x0000000102ad2b6b 0 + 4339870571 78 ??? 0x0000000105099718 0 + 4379481880 79 ??? 0x0000000102acbdc4 0 + 4339842500 80 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 81 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 82 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 83 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 84 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 85 ??? 0x0000000102ad2b6b 0 + 4339870571 86 ??? 0x00000001050982c8 0 + 4379476680 87 ??? 0x0000000102acbdc4 0 + 4339842500 88 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 89 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 90 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 91 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d4dd js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:494) 92 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c6e42 js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 546 (Interpreter.cpp:528) 93 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c7ad2 js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 82 (Interpreter.cpp:639) 94 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007f9365 bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 965 (RootingAPI.h:667) 95 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007f9f38 bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 2088 (NativeObject.cpp:2002) 96 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010002df69 js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) + 169 (RootingAPI.h:667) 97 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c9e39 js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) + 553 (RootingAPI.h:667) 98 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010047b518 js::jit::ComputeGetPropResult(JSContext*, js::jit::BaselineFrame*, JSOp, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 552 (SharedIC.cpp:2802) 99 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010046520a js::jit::DoGetPropFallback(JSContext*, void*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) + 3018 (SharedIC.cpp:2882) 100 ??? 0x0000000102accb77 0 + 4339846007 101 ??? 0x0000000102acbdc4 0 + 4339842500 102 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 103 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 104 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 105 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c8044 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682) 106 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c83c5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 107 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010059606f Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) + 1135 (jsapi.cpp:4466) 108 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x0000000100596482 JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::MutableHandle<JS::Value>) + 210 (jsapi.cpp:4503) 109 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x0000000100011a93 EvalInContext(JSContext*, unsigned int, JS::Value*) + 1603 (jsapi.h:3956) 110 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007d617e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:236) 111 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010079d53e js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 702 (Interpreter.cpp:464) 112 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001eec3e js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1870 (BaselineIC.cpp:6115) 113 ??? 0x0000000102ad2b6b 0 + 4339870571 114 ??? 0x0000000105025370 0 + 4379005808 115 ??? 0x0000000102acbdc4 0 + 4339842500 116 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001feee4 EnterBaseline(JSContext*, js::jit::EnterJitData&) + 708 (BaselineJIT.cpp:152) 117 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001001fea6f js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 287 (BaselineJIT.cpp:188) 118 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007b0076 js::RunScript(JSContext*, js::RunState&) + 470 (Interpreter.cpp:407) 119 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c8044 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) + 1124 (Interpreter.cpp:682) 120 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001007c83c5 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) + 469 (RootingAPI.h:667) 121 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x0000000100595241 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) + 417 (jsapi.cpp:4372) 122 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x00000001005954b2 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) + 82 (RootingAPI.h:667) 123 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x0000000100020aa9 Process(JSContext*, char const*, bool, FileKind) + 3609 (js.cpp:530) 124 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x000000010000610b main + 11739 (js.cpp:6732) 125 js-dbg-64-dm-clang-darwin-29d5a4175c8b 0x0000000100001374 start + 52 Yet another bug possibly related to recent RegExp fallout. Locking s-s just to be safe.
Reporter | ||
Updated•8 years ago
|
Summary: Assertion failure: isObject(), at /Users/skywalker/shell-cache/js-dbg-64-dm-clang-darwin-29d5a4175c8b/objdir-js/dist/include/js/Value.h:1281 → Assertion failure: isObject(), at dist/include/js/Value.h:1281
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160407030451" and the hash "9f6afb62fe80ee168a90577957d1c53ad9fe8ecd". The "bad" changeset has the timestamp "20160407034945" and the hash "4d0f975a23119a61a6c8e5856125de2db5713c49". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f6afb62fe80ee168a90577957d1c53ad9fe8ecd&tochange=4d0f975a23119a61a6c8e5856125de2db5713c49 I'll see if I can get a smaller regression window. In the meantime, setting needinfo? from arai-san.
Flags: needinfo?(arai.unmht)
Reporter | ||
Comment 3•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b4e25cbe3dcb user: Tooru Fujisawa date: Thu Jan 28 18:56:02 2016 +0900 summary: Bug 887016 - Part 14: Add RegExpSearcher. r=h4writer Note that the patch was landed on April 7, 2016.
Blocks: 887016
status-firefox47:
--- → unaffected
Assignee | ||
Comment 4•8 years ago
|
||
GetBuiltinPrototype("String") returns undefined. GetBuiltinConstructor("String").prototype is undefined there. till, is it possible in normal situation?
Flags: needinfo?(arai.unmht) → needinfo?(till)
Assignee | ||
Comment 5•8 years ago
|
||
When I add following line into evalcx, it works without crash String.prototype; maybe String prototype is not yet resolved? should we check the returned value of GetBuiltinPrototype (and GetBuiltinConstructor?) at every callsite.
Assignee | ||
Comment 6•8 years ago
|
||
In case we should check the return value, here's the patch that adds branches. if it's a bug in GetBuiltinPrototype or more internal thing, we should fix it instead tho.
Assignee: nobody → arai.unmht
Attachment #8739950 -
Flags: feedback?(till)
Comment 7•8 years ago
|
||
Comment on attachment 8739950 [details] [diff] [review] Check the return value of GetBuiltinPrototype. Review of attachment 8739950 [details] [diff] [review]: ----------------------------------------------------------------- This doesn't seem right. I would've expected GetBuiltinConstructor to either succeed or throw an error. It seems like it doesn't throw an error if it's not able to resolve the constructor. Or this is about the Prototype? In any case, I would very much like to have this fixed properly. For these usages, just bailing is fine because it'll just miss optimization opportunities, but that won't always be the case. Can you check in a debugger what happens under intrinsic_GetBuiltinConstructor?
Attachment #8739950 -
Flags: feedback?(till) → feedback-
Assignee | ||
Comment 8•8 years ago
|
||
Thanks :) so, it's surely not-normal case.
after following line in intrinsic_GetBuiltinConstructor for JSProto_String:
> if (!GetBuiltinConstructor(cx, key, &ctor))
> return false;
the property of the ctor seems to be broken.
It should point shape list with "localeCompare", "split", ... (String generics)
but the propid_ is 4, and parent is null
(lldb) p *((JSFunction*)ctor.ptr)->lastProperty()
(js::Shape) $13 = {
base_ = {
js::WriteBarrieredBase<js::BaseShape *> = {
js::BarrieredBase<js::BaseShape *> = {
value = 0x00000001044911a0
}
}
}
propid_ = {
js::WriteBarrieredBase<jsid> = {
js::BarrieredBase<jsid> = {
value = (asBits = 4)
}
}
}
slotInfo = 134217727
attrs = '@'
flags = '\b'
parent = {
js::WriteBarrieredBase<js::Shape *> = {
js::BarrieredBase<js::Shape *> = (value = 0x0000000000000000)
}
}
= {
kids = (w = 4395676385)
listp = 0x000000010600b2e1
}
}
maybe error in somewhere is ignored.
Assignee | ||
Comment 9•8 years ago
|
||
In resolveConstructor for JSProto_String, it fails with OOM. I traced that the error gets propagated to frame #34, but not sure about remaining frames. * thread #1: tid = 0x8760ee, 0x00000001006e80c5 js`js::ReportOutOfMemory(cxArg=0x0000000104241c00) + 15 at jscntxt.cpp:293, queue = 'com.apple.main-thread', stop reason = step in * frame #0: 0x00000001006e80c5 js`js::ReportOutOfMemory(cxArg=0x0000000104241c00) + 15 at jscntxt.cpp:293 frame #1: 0x0000000100ce2aee js`bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(this=0x000000010425d428, cx=0x0000000104241c00, kind=BASE_SHAPE) + 510 at Allocator.cpp:78 frame #2: 0x0000000100ce5003 js`js::BaseShape* js::Allocate<js::BaseShape, (js::AllowGC)1>(cx=0x0000000104241c00) + 195 at Allocator.cpp:213 frame #3: 0x0000000100a9cf84 js`js::BaseShape::getUnowned(cx=0x0000000104241c00, base=0x00007fff5fbf9c70) + 180 at Shape.cpp:1307 frame #4: 0x0000000100a9e898 js`js::EmptyShape::getInitialShape(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=TaggedProto @ 0x00007fff5fbf9d20, nfixed=2, objectFlags=0) + 472 at Shape.cpp:1488 frame #5: 0x00000001007bb5cc js`NewObject(cx=0x0000000104241c00, group=js::HandleObjectGroup @ 0x00007fff5fbf9e10, kind=OBJECT2_BACKGROUND, newKind=SingletonObject, initialShapeFlags=0) + 460 at jsobj.cpp:662 frame #6: 0x00000001007bb0b8 js`js::NewObjectWithGivenTaggedProto(cxArg=0x0000000104241c00, clasp=0x00000001014311a8, proto=Handle<js::TaggedProto> @ 0x00007fff5fbf9f60, allocKind=OBJECT2_BACKGROUND, newKind=SingletonObject, initialShapeFlags=0) + 536 at jsobj.cpp:729 frame #7: 0x00000001009ed9eb js`js::NewObjectWithGivenTaggedProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=Handle<js::TaggedProto> @ 0x00007fff5fbf9fa8, newKind=SingletonObject, initialShapeFlags=0) + 75 at jsobjinlines.h:636 frame #8: 0x00000001009dd8e6 js`js::NewObjectWithGivenProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbf9ff8, newKind=SingletonObject) + 86 at jsobjinlines.h:671 frame #9: 0x00000001009db2d3 js`js::NewNativeObjectWithGivenProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa038, newKind=SingletonObject) + 51 at NativeObject-inl.h:346 frame #10: 0x00000001009a5f14 js`CreateBlankProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa0a0, global=JS::HandleObject @ 0x00007fff5fbfa098) + 148 at GlobalObject.cpp:572 frame #11: 0x00000001009a5e55 js`js::GlobalObject::createBlankPrototype(this=0x0000000105393060, cx=0x0000000104241c00, clasp=0x00000001014311a8) + 213 at GlobalObject.cpp:588 frame #12: 0x00000001008337fe js`js::InitStringClass(cx=0x0000000104241c00, obj=JS::HandleObject @ 0x00007fff5fbfa290) + 206 at jsstr.cpp:2751 frame #13: 0x00000001009a3a5b js`js::GlobalObject::resolveConstructor(cx=0x0000000104241c00, global=Handle<js::GlobalObject *> @ 0x00007fff5fbfa4d0, key=JSProto_String) + 587 at GlobalObject.cpp:178 frame #14: 0x00000001007c279f js`MaybeResolveConstructor(cxArg=0x0000000104241c00, global=Handle<js::GlobalObject *> @ 0x00007fff5fbfa510, key=JSProto_String) + 127 at jsobj.cpp:2009 frame #15: 0x00000001007bbd58 js`js::GetBuiltinPrototype(cx=0x0000000104241c00, key=JSProto_String, protop=JS::MutableHandleObject @ 0x00007fff5fbfa580) + 168 at jsobj.cpp:2029 frame #16: 0x00000001007bb9aa js`js::NewObjectWithClassProtoCommon(cxArg=0x0000000104241c00, clasp=0x00000001014311a8, protoArg=JS::HandleObject @ 0x00007fff5fbfa740, allocKind=OBJECT2_BACKGROUND, newKind=GenericObject) + 570 at jsobj.cpp:788 frame #17: 0x000000010002901b js`js::NewObjectWithClassProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa788, allocKind=OBJECT2, newKind=GenericObject) + 59 at jsobjinlines.h:702 frame #18: 0x0000000100028fa3 js`js::NewObjectWithClassProto(cx=0x0000000104241c00, clasp=0x00000001014311a8, proto=JS::HandleObject @ 0x00007fff5fbfa7c8, newKind=GenericObject) + 67 at jsobjinlines.h:710 frame #19: 0x00000001007ee8f4 js`js::StringObject::create(cx=0x0000000104241c00, str=JS::HandleString @ 0x00007fff5fbfa840, proto=JS::HandleObject @ 0x00007fff5fbfa838, newKind=GenericObject) + 68 at StringObject-inl.h:38 frame #20: 0x00000001007c84c4 js`js::PrimitiveToObject(cx=0x0000000104241c00, v=0x00007fff5fbfabd0) + 132 at jsobj.cpp:3204 frame #21: 0x00000001007c8807 js`js::ToObjectSlow(cx=0x0000000104241c00, val=JS::HandleValue @ 0x00007fff5fbfa970, reportScanStack=true) + 423 at jsobj.cpp:3238 frame #22: 0x00000001009e5288 js`js::ToObjectFromStack(cx=0x0000000104241c00, vp=JS::HandleValue @ 0x00007fff5fbfa9a0) + 88 at jsobj.h:1285 frame #23: 0x0000000100293834 js`js::GetPrimitiveElementOperation(cx=0x0000000104241c00, op=JSOP_CALLELEM, receiver=JS::HandleValue @ 0x00007fff5fbfab10, key=JS::HandleValue @ 0x00007fff5fbfab08, res=JS::MutableHandleValue @ 0x00007fff5fbfab00) + 164 at Interpreter-inl.h:468 frame #24: 0x0000000100290e7f js`js::GetElementOperation(cx=0x0000000104241c00, op=JSOP_CALLELEM, lref=JS::MutableHandleValue @ 0x00007fff5fbfac00, rref=JS::HandleValue @ 0x00007fff5fbfabf8, res=JS::MutableHandleValue @ 0x00007fff5fbfabf0) + 463 at Interpreter-inl.h:554 frame #25: 0x0000000100269240 js`js::jit::DoGetElemFallback(cx=0x0000000104241c00, frame=0x00007fff5fbfafd8, stub_=0x00000001042bf0d0, lhs=JS::HandleValue @ 0x00007fff5fbfaf20, rhs=JS::HandleValue @ 0x00007fff5fbfaf18, res=JS::MutableHandleValue @ 0x00007fff5fbfaf10) + 1824 at BaselineIC.cpp:1728 frame #26: 0x00000001035bc26b frame #27: 0x00000001035b4dc4 frame #28: 0x0000000100287869 js`EnterBaseline(cx=0x0000000104241c00, data=0x00007fff5fbfb468) + 1321 at BaselineJIT.cpp:149 frame #29: 0x0000000100287258 js`js::jit::EnterBaselineMethod(cx=0x0000000104241c00, state=0x00007fff5fbfb710) + 280 at BaselineJIT.cpp:188 frame #30: 0x00000001009aea7e js`js::RunScript(cx=0x0000000104241c00, state=0x00007fff5fbfb710) + 606 at Interpreter.cpp:416 frame #31: 0x00000001009cb9cb js`js::ExecuteKernel(cx=0x0000000104241c00, script=JS::HandleScript @ 0x00007fff5fbfb7d0, scopeChainArg=0x00000001043035e0, newTargetValue=0x00007fff5fbfb910, evalInFrame=(ptr_ = 0), result=0x00007fff5fbfc538) + 747 at Interpreter.cpp:682 frame #32: 0x000000010061e139 js`EvalKernel(cx=0x0000000104241c00, args=0x00007fff5fbfc390, evalType=DIRECT_EVAL, caller=(ptr_ = 140734799791498), scopeobj=JS::HandleObject @ 0x00007fff5fbfbc98, pc="{") + 3017 at Eval.cpp:331 frame #33: 0x000000010061e4a5 js`js::DirectEval(cx=0x0000000104241c00, args=0x00007fff5fbfc390) + 789 at Eval.cpp:439 frame #34: 0x0000000100279138 js`js::jit::DoCallFallback(cx=0x0000000104241c00, frame=0x00007fff5fbfc588, stub_=0x00000001042a70c8, argc=1, vp=0x00007fff5fbfc538, res=JS::MutableHandleValue @ 0x00007fff5fbfc498) + 1320 at BaselineIC.cpp:6100 frame #35: 0x00000001035bbb6b
Assignee | ||
Comment 10•8 years ago
|
||
maybe, it's something related to error handling in baseline, that I don't know much about. jandem, can you take a look?
Assignee: arai.unmht → nobody
Flags: needinfo?(jdemooij)
Comment 11•8 years ago
|
||
I think the problem here is in js::InitStringClass. There we call GlobalObject::initBuiltinConstructor *before* we call LinkConstructorAndPrototype and DefinePropertiesAndFunctions. We should move the initBuiltinConstructor call *after* the other calls. Unfortunately it's more complicated than that, because the string class has generic functions (JSFUN_GENERIC_NATIVE). Those generics require us to set the constructor on the global *before* we call DefinePropertiesAndFunctions (see DefineFunctionFromSpec). Because only the Array and String classes use JSFUN_GENERIC_NATIVE, I think it'd be much nicer to either: (1) Remove the JSFUN_GENERIC_NATIVE stuff from DefineFunctionFromSpec, and instead add a new DefineGenericFunctions function that takes both the constructor and prototype. (2) Remove JSFUN_GENERIC_NATIVE completely and self-host the (non-standard) generics for now.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 12•8 years ago
|
||
Thank you for investigating it :) I'll try self-hosting Array/String generics as a first step. they're already deprecated (tracked in bug 1222547 and bug 1222552), and performance difference won't be a problem. If we hit some performance regression from them, we should fix consumer instead ;)
Comment 13•8 years ago
|
||
Thank's for investigating this, arai. I agree that self-hosting the generics makes the most sense.
Flags: needinfo?(till)
Assignee | ||
Comment 14•8 years ago
|
||
Self-hosted Array generics, and added simple testcases, as I don't see any pre-existing testcase for them.
Assignee: nobody → arai.unmht
Attachment #8740933 -
Flags: review?(till)
Comment 15•8 years ago
|
||
Comment on attachment 8740933 [details] [diff] [review] Part 1: Self-host Array generics. Review of attachment 8740933 [details] [diff] [review]: ----------------------------------------------------------------- Looks great, thanks!
Attachment #8740933 -
Flags: review?(till) → review+
Assignee | ||
Comment 16•8 years ago
|
||
Same for String generics too.
Attachment #8740940 -
Flags: review?(till)
Assignee | ||
Comment 17•8 years ago
|
||
Attachment #8740944 -
Flags: review?(till)
Assignee | ||
Comment 18•8 years ago
|
||
Moved initBuiltinConstructor, as jandem suggested, and added same testcase as previous patch.
Attachment #8739950 -
Attachment is obsolete: true
Attachment #8740946 -
Flags: review?(till)
Comment 19•8 years ago
|
||
Comment on attachment 8740940 [details] [diff] [review] Part 2: Self-host String generics. Review of attachment 8740940 [details] [diff] [review]: ----------------------------------------------------------------- Very nice. r=me with nits addressed. ::: js/src/jsstr.cpp @@ +2735,2 @@ > // This must be at the end because of bug 853075: functions listed after > // self-hosted methods aren't available in self-hosted code. This isn't relevant anymore; can you just remove the comment? ::: js/src/jsstr.h @@ +364,5 @@ > +extern bool > +str_localeCompare(JSContext* cx, unsigned argc, Value* vp); > +#endif > + > +#if EXPOSE_INTL_API can't you just use #else here? ::: js/src/vm/SelfHosting.cpp @@ +2311,5 @@ > + JS_FN("std_String_toLocaleUpperCase", str_toLocaleUpperCase, 0,0), > +#if !EXPOSE_INTL_API > + JS_FN("std_String_localeCompare", str_localeCompare, 1,0), > +#endif > +#if EXPOSE_INTL_API Same here: just use #else
Attachment #8740940 -
Flags: review?(till) → review+
Comment 20•8 years ago
|
||
Comment on attachment 8740944 [details] [diff] [review] Part 3: Remove JSFUN_GENERIC_NATIVE. Review of attachment 8740944 [details] [diff] [review]: ----------------------------------------------------------------- \o/
Attachment #8740944 -
Flags: review?(till) → review+
Comment 21•8 years ago
|
||
Comment on attachment 8740946 [details] [diff] [review] Part 4: Call initBuiltinConstructor after defining properties in InitStringClass. Review of attachment 8740946 [details] [diff] [review]: ----------------------------------------------------------------- I like how small the actual fix here is ...
Attachment #8740946 -
Flags: review?(till) → review+
Assignee | ||
Comment 22•8 years ago
|
||
Thank you for reviewing :) This could happen when we use GetBuiltinPrototype or GetBuiltinConstructor with "String" argument, and there was no such code before bug 887016, so I think this bug affects only nightly, and no need to backport. till, how do you think?
Flags: needinfo?(till)
Comment 23•8 years ago
|
||
Agreed, this doesn't need backporting. Which in turn means you can land it right-away.
Flags: needinfo?(till)
Assignee | ||
Comment 24•8 years ago
|
||
Just like Array#concat (bug 1233642), removed all Array generics from ctorPropsToSkip list.
Attachment #8741201 -
Flags: review?(bobbyholley)
Updated•8 years ago
|
Attachment #8741201 -
Flags: review?(bobbyholley) → review+
Assignee | ||
Comment 25•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ad22cb06de5d204449676d7b717a101fc43c283a Bug 1263558 - Part 1: Self-host Array generics. r=till,bholley https://hg.mozilla.org/integration/mozilla-inbound/rev/94805cd19c1594ee7098118e2b47da2fa94bde2b Bug 1263558 - Part 2: Self-host String generics. r=till https://hg.mozilla.org/integration/mozilla-inbound/rev/faa055e3ace88ef200b81badb3df0749bf4ede02 Bug 1263558 - Part 3: Remove JSFUN_GENERIC_NATIVE. r=till https://hg.mozilla.org/integration/mozilla-inbound/rev/7fcc62dda4e35167b7062f9f72133042a72ac01c Bug 1263558 - Part 4: Call initBuiltinConstructor after defining properties in InitStringClass. r=till
Comment 26•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ad22cb06de5d https://hg.mozilla.org/mozilla-central/rev/94805cd19c15 https://hg.mozilla.org/mozilla-central/rev/faa055e3ace8 https://hg.mozilla.org/mozilla-central/rev/7fcc62dda4e3
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Backed out in https://hg.mozilla.org/mozilla-central/rev/354cb3932e36 for causing bug 1264937
Status: RESOLVED → REOPENED
Flags: needinfo?(arai.unmht)
Resolution: FIXED → ---
Assignee | ||
Comment 28•8 years ago
|
||
The assertion failure on linux32 happens from Part 2. Maybe it changed the timing related to OOM?
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 29•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Assignee | ||
Comment 30•8 years ago
|
||
When it hits assertion failure, any code of String#search is not executed. https://dxr.mozilla.org/mozilla-central/source/js/src/jit-test/tests/gc/bug-1240527.js > offThreadCompileScript(` > oomTest(() => "".search(/d/)); > fullcompartmentchecks(3); > `); > runOffThreadScript(); I suppose some issue happens while JIT compiling.
Assignee | ||
Comment 31•8 years ago
|
||
BaselineCompiler::compile fails in following line, ensureHasAnalyzedArgsUsage call, while compiling String_search self-hosted function. https://dxr.mozilla.org/mozilla-central/rev/21bf1af375c1fa8565ae3bb2e89bd1a0809363d4/js/src/jit/BaselineCompiler.cpp#96 > if (!script->ensureHasTypes(cx) || !script->ensureHasAnalyzedArgsUsage(cx)) > return Method_Error; will continue investigating.
Assignee | ||
Comment 32•8 years ago
|
||
MBasicBlock::addImmediatelyDominatedBlock fails in jit::BuildDominatorTree. https://dxr.mozilla.org/mozilla-central/rev/21bf1af375c1fa8565ae3bb2e89bd1a0809363d4/js/src/jit/IonAnalysis.cpp#2104 > bool > jit::BuildDominatorTree(MIRGraph& graph) > { > ... > for (PostorderIterator i(graph.poBegin()); i != graph.poEnd(); i++) { > MBasicBlock* child = *i; > MBasicBlock* parent = child->immediateDominator(); > ... > if (!parent->addImmediatelyDominatedBlock(child)) > return false; Maybe, somewhere in the call stack forget to report OOM ? Breakpoint 1, js::jit::MBasicBlock::addImmediatelyDominatedBlock ( this=0xb79b6a00, child=0xb79b79f0) at /home/osboxes/projects/mozilla-central/js/src/jit/MIRGraph.cpp:1259 1259 fprintf(stderr, "addImmediatelyDominatedBlock: false\n"); (gdb) bt #0 js::jit::MBasicBlock::addImmediatelyDominatedBlock (this=0xb79b6a00, child=0xb79b79f0) at /home/osboxes/projects/mozilla-central/js/src/jit/MIRGraph.cpp:1259 #1 0x083a37c4 in js::jit::BuildDominatorTree (graph=...) at /home/osboxes/projects/mozilla-central/js/src/jit/IonAnalysis.cpp:2107 #2 0x083abc36 in js::jit::AnalyzeArgumentsUsage (cx=0xb797f020, scriptArg=0xb5b5b160) at /home/osboxes/projects/mozilla-central/js/src/jit/IonAnalysis.cpp:3999 #3 0x08850839 in JSScript::ensureHasAnalyzedArgsUsage (this=0xb5b5b160, cx=0xb797f020) at /home/osboxes/projects/mozilla-central/js/src/jsscriptinlines.h:203 #4 0x08c99cfe in js::jit::BaselineCompiler::compile (this=0xbfffc420) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineCompiler.cpp:103 #5 0x082c2192 in js::jit::BaselineCompile (cx=0xb797f020, script=0xb5b5b160, forceDebugInstrumentation=false) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:291 #6 0x082c2480 in CanEnterBaselineJIT (cx=0xb797f020, script=..., osrFrame=0x0) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:330 #7 0x082c2718 in js::jit::CanEnterBaselineMethod (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:392 #8 0x0890266d in js::RunScript (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:412 #9 0x08902b44 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., construct=js::NO_CONSTRUCT) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:498 #10 0x08902e19 in InternalCall (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525 #11 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531 #12 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffd5e8, stub_=0xb79b5070, argc=1, vp=0xbfffd5a8, res=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116 #13 0xb7fccdce in ?? () #14 0xb79b5070 in ?? () #15 0xb7fc6c5c in ?? () #16 0x082c158c in EnterBaseline (cx=0xb797f020, data=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150 #17 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188 #18 0x0890269d in js::RunScript (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416 #19 0x08902b44 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., construct=js::NO_CONSTRUCT) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:498 #20 0x08902e19 in InternalCall (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525 #21 0x08902ed6 in js::Call (cx=0xb797f020, fval=..., thisv=..., args=..., rval=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:544 #22 0x0868f017 in JS_CallFunction (cx=0xb797f020, obj=..., fun=..., args=..., rval=...) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:2876 #23 0x08ae589e in OOMTest (cx=0xb797f020, argc=1, vp=0xbfffdec8) at /home/osboxes/projects/mozilla-central/js/src/builtin/TestingFunctions.cpp:1310 #24 0x08927b26 in js::CallJSNative (cx=0xb797f020, native=0x8ae534c <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/osboxes/projects/mozilla-central/js/src/jscntxtinlines.h:235 #25 0x08902aa7 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., construct=js::NO_CONSTRUCT) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:480 #26 0x08902e19 in InternalCall (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525 #27 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531 #28 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffdf08, stub_=0xb79b4050, argc=1, vp=0xbfffdec8, res=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116 #29 0xb7fccdce in ?? () #30 0xb79b4050 in ?? () #31 0xb7fc6c5c in ?? () #32 0x082c158c in EnterBaseline (cx=0xb797f020, data=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150 #33 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188 #34 0x0890269d in js::RunScript (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416 #35 0x08903c14 in js::ExecuteKernel (cx=0xb797f020, script=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0xbfffe718) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:704 #36 0x08903f41 in js::Execute (cx=0xb797f020, script=..., scopeChainArg=..., rval=0xbfffe718) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:737 #37 0x086957e6 in ExecuteScript (cx=0xb797f020, scope=..., script=..., rval=0xbfffe718) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4392 #38 0x08695afd in JS_ExecuteScript (cx=0xb797f020, scriptArg=..., rval=...) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4418 #39 0x08086e6e in runOffThreadScript (cx=0xb797f020, argc=0, vp=0xbfffe718) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:3943 #40 0x08927b26 in js::CallJSNative (cx=0xb797f020, native=0x8086d33 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/osboxes/projects/mozilla-central/js/src/jscntxtinlines.h:235 #41 0x08902aa7 in js::InternalCallOrConstruct (cx=0xb797f020, args=..., construct=js::NO_CONSTRUCT) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:480 #42 0x08902e19 in InternalCall (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:525 #43 0x08902e52 in js::CallFromStack (cx=0xb797f020, args=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:531 #44 0x082b4d7b in js::jit::DoCallFallback (cx=0xb797f020, frame=0xbfffe748, stub_=0xb7998180, argc=0, vp=0xbfffe718, res=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineIC.cpp:6116 #45 0xb7fccdce in ?? () #46 0xb7998180 in ?? () #47 0xb7fc6c5c in ?? () #48 0x082c158c in EnterBaseline (cx=0xb797f020, data=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:150 #49 0x082c1936 in js::jit::EnterBaselineMethod (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/jit/BaselineJIT.cpp:188 #50 0x0890269d in js::RunScript (cx=0xb797f020, state=...) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:416 #51 0x08903c14 in js::ExecuteKernel (cx=0xb797f020, script=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:704 #52 0x08903f41 in js::Execute (cx=0xb797f020, script=..., scopeChainArg=..., rval=0x0) at /home/osboxes/projects/mozilla-central/js/src/vm/Interpreter.cpp:737 #53 0x086957e6 in ExecuteScript (cx=0xb797f020, scope=..., script=..., rval=0x0) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4392 #54 0x08695bbd in JS_ExecuteScript (cx=0xb797f020, scriptArg=...) at /home/osboxes/projects/mozilla-central/js/src/jsapi.cpp:4425 #55 0x08078698 in RunFile (cx=0xb797f020, filename=0xbffff31c "/home/osboxes/Desktop/a.js", file=0xb58149e0, compileOnly=false) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:530 #56 0x080798de in Process (cx=0xb797f020, filename=0xbffff31c "/home/osboxes/Desktop/a.js", forceTTY=false, kind=FileScript) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:803 #57 0x0808f29c in ProcessArgs (cx=0xb797f020, op=0xbfffefa0) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:6743 #58 0x080903c0 in Shell (cx=0xb797f020, op=0xbfffefa0, envp=0xbffff104) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:7071 #59 0x080918e4 in main (argc=3, argv=0xbffff0f4, envp=0xbffff104) at /home/osboxes/projects/mozilla-central/js/src/shell/js.cpp:7455
Assignee | ||
Comment 33•8 years ago
|
||
What function is responsible for reporting an exception when following function fails? * MBasicBlock::addImmediatelyDominatedBlock * jit::BuildDominatorTree * jit::AnalyzeNewScriptDefiniteProperties jit::AnalyzeNewScriptDefiniteProperties calls ReportOutOfMemory in some failure case: > CompilerConstraintList* constraints = NewCompilerConstraintList(temp); > if (!constraints) { > ReportOutOfMemory(cx); > return false; > } but it doesn't in some other case, where cx is not passed: > if (!SplitCriticalEdges(graph)) > return false; > > if (!RenumberBlocks(graph)) > return false; > > if (!BuildDominatorTree(graph)) { > ReportOutOfMemory(cx); > return false; > }
Flags: needinfo?(arai.unmht) → needinfo?(jdemooij)
Comment 34•8 years ago
|
||
(In reply to Tooru Fujisawa [:arai] from comment #33) > What function is responsible for reporting an exception when following > function fails? > * MBasicBlock::addImmediatelyDominatedBlock > * jit::BuildDominatorTree Ion functions like these should not report OOM (they also don't have a cx available most of the time). > jit::AnalyzeNewScriptDefiniteProperties calls ReportOutOfMemory in some > failure case: AnalyzeNewScriptDefiniteProperties should report OOM when it returns false and the callee doesn't report OOM. I wonder if we should add AutoAssertPendingException, like AutoAssertNoPendingException we already have.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 35•8 years ago
|
||
Thank you jandem!
I'll check the related code path and add error reporting.
> if (!SplitCriticalEdges(graph))
> return false;
>
> if (!RenumberBlocks(graph))
> return false;
>
> if (!BuildDominatorTree(graph)) {
> ReportOutOfMemory(cx);
> return false;
> }
Sorry, this code was copied from WIP-patch applied tree, there is no ReportOutOfMemory actually.
Assignee | ||
Comment 36•8 years ago
|
||
here's call tree from MBasicBlock::addImmediatelyDominatedBlock, so, jit::AnalyzeNewScriptDefiniteProperties and jit::AnalyzeArgumentsUsage should be fixed. MBasicBlock::addImmediatelyDominatedBlock [A] | +- jit::BuildDominatorTree [A] | +- OptimizeMIR [A] | | | +- wasm::IonCompileFunction [A] | | | | | +- ModuleGenerator::finishFuncDef [A] | | | | | | | +- FunctionValidator::finish [A] | | | | | | | | | +- CheckFunction [B] | | | | | | | +- DecodeFunctionBody [E] | | | | | | | +- DecodeFunctionBodies [E] | | | | | | | +- DecodeModule [E] | | | | | | | +- wasm::Eval [B] | | | | | +- HelperThread::handleWasmWorkload [B] | | | +- CompileBackEnd [A] | | | +- IonCompile [B] | | | +- HelperThread::handleIonWorkload [D] | +- jit::AccountForCFGChanges [A] | | | +- jit::RemoveUnmarkedBlocks [A] | | | | | +- ValueNumberer::cleanupOSRFixups [A] | | | | | +- ValueNumberer::run [A] | | | | | +- OptimizeMIR [A] * | | | +- ValueNumberer::run [A] * | +- jit::AnalyzeNewScriptDefiniteProperties [C] | +- jit::AnalyzeArgumentsUsage [C] | +- jit::UnrollLoops [A] | +- OptimizeMIR [A] * [A] doesn't report, propagates false/nullptr [B] reports failure [C] has cx, doesn't report, but reports exception on other case, SHOULD FIX [D] handled in different path, clears pending exception https://dxr.mozilla.org/mozilla-central/rev/1da1937a9e03154ae7c60089f2dcf5ad9ee20fa3/js/src/jit/Ion.cpp#555 [E] has cx, but handled in caller * dupllicated entry
Assignee | ||
Comment 37•8 years ago
|
||
Added ReportOutOfMemory to AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. Other methods might needs same thing tho, not yet investigated, and anyway, this change should be needed there.
Attachment #8742306 -
Flags: review?(jdemooij)
Comment 38•8 years ago
|
||
This sounds like some kind of type confusion, so I'm going to mark this sec-high. Adjust if appropriate.
Keywords: sec-high
Comment 39•8 years ago
|
||
Comment on attachment 8742306 [details] [diff] [review] followup - Handle OOM inside BuildDominatorTree at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. Review of attachment 8742306 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/IonAnalysis.cpp @@ +3772,4 @@ > FinishDefinitePropertiesAnalysis(cx, constraints); > > if (!SplitCriticalEdges(graph)) > return false; I think we should also call ReportOutOfMemory here and after RenumberBlocks and EliminatePhis. (Although RenumberBlocks always returns true, so we could change it to return void instead of bool...)
Attachment #8742306 -
Flags: review?(jdemooij) → review+
Comment 40•8 years ago
|
||
[Tracking Requested - why for this release]: sec-high regression
tracking-firefox48:
--- → ?
Keywords: regression
Assignee | ||
Comment 41•8 years ago
|
||
Fixed SplitCriticalEdges, RenumberBlocks and EliminatePhis.
Attachment #8742941 -
Flags: review?(jdemooij)
Comment 42•8 years ago
|
||
Comment on attachment 8742941 [details] [diff] [review] followup 2 - Handle OOM inside SplitCriticalEdges and EliminatePhis at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. Review of attachment 8742941 [details] [diff] [review]: ----------------------------------------------------------------- Looks good.
Attachment #8742941 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 43•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/611130fe9f93305ba081ce37a923d3383ccf3419 Bug 1263558 - Part 0.1: Handle OOM inside BuildDominatorTree at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. r=jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/344a4bcc9015457aa8deadbaac79eead70acbb60 Bug 1263558 - Part 0.2: Handle OOM inside SplitCriticalEdges and EliminatePhis at AnalyzeNewScriptDefiniteProperties and AnalyzeArgumentsUsage. r=jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/5af002b8ef582c6d18ae5e7565d6c2c55dad0759 Bug 1263558 - Part 1: Self-host Array generics. r=till,bholley https://hg.mozilla.org/integration/mozilla-inbound/rev/f1876796b8665a096aba8083a195ed8e85751b5f Bug 1263558 - Part 2: Self-host String generics. r=till https://hg.mozilla.org/integration/mozilla-inbound/rev/7b1ce08126bf35127d0e338cd2a21883ae87fcbe Bug 1263558 - Part 3: Remove JSFUN_GENERIC_NATIVE. r=till https://hg.mozilla.org/integration/mozilla-inbound/rev/b1e8dbf2f4c92666991b0a026dfbc8fa0fa26826 Bug 1263558 - Part 4: Call initBuiltinConstructor after defining properties in InitStringClass. r=till
Comment 44•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/611130fe9f93 https://hg.mozilla.org/mozilla-central/rev/344a4bcc9015 https://hg.mozilla.org/mozilla-central/rev/5af002b8ef58 https://hg.mozilla.org/mozilla-central/rev/f1876796b866 https://hg.mozilla.org/mozilla-central/rev/7b1ce08126bf https://hg.mozilla.org/mozilla-central/rev/b1e8dbf2f4c9
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Comment 46•8 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #45) > https://treeherder.mozilla.org/#/jobs?repo=try&revision=dbc24d3df009 Hmm. That was not intentially! This is for another bug.
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
status-firefox-esr45:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•