Closed Bug 1263895 Opened 8 years ago Closed 8 years ago

Assertion failure: hasLastIns(), at js/src/jit/MIRGraph.h:380 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: h4writer)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-offthread-compile=off):

lfLogBuffer = `
function f (n) {
    while (!inIon()) {
        let x = {}
        for (var i = 0; i < n; i++) ;
    }
}
f(300)
`
lfLogBuffer = lfLogBuffer.split('\n')
lfCodeBuffer = 0
while (1) {
    line = lfLogBuffer.shift()
    if (line == null) 
        break
    loadFile()
    lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer)
function loadFile(lfVarx) 
  oomTest(function() eval(lfVarx));



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000043dde2 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:380
#0  0x000000000043dde2 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:380
#1  0x00000000006ad028 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:377
#2  0x0000000000769391 in js::jit::MBasicBlock::numSuccessors (this=this@entry=0x7ffff42812c0) at js/src/jit/MIRGraph.cpp:1415
#3  0x00000000008256d6 in isLoopBackedge (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:453
#4  js::jit::ValueNumberer::visitDominatorTree (this=this@entry=0x7fffffff9140, dominatorRoot=dominatorRoot@entry=0x7ffff42812c0) at js/src/jit/ValueNumbering.cpp:1022
#5  0x00000000008259df in js::jit::ValueNumberer::visitGraph (this=this@entry=0x7fffffff9140) at js/src/jit/ValueNumbering.cpp:1069
#6  0x0000000000825bb7 in js::jit::ValueNumberer::run (this=this@entry=0x7fffffff9140, updateAliasAnalysis=updateAliasAnalysis@entry=js::jit::ValueNumberer::UpdateAliasAnalysis) at js/src/jit/ValueNumbering.cpp:1238
#7  0x00000000006a8b69 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff4272270) at js/src/jit/Ion.cpp:1634
#8  0x00000000006a900f in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff4272270) at js/src/jit/Ion.cpp:1958
#9  0x00000000006a9e13 in js::jit::IonCompile (cx=cx@entry=0x7ffff6908800, script=script@entry=0x7ffff4499f30, baselineFrame=baselineFrame@entry=0x7fffffff9748, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2225
#10 0x00000000006aa59c in js::jit::Compile (cx=0x7ffff6908800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffff9748, osrPc=osrPc@entry=0x7ffff697db3d "\343\202V", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2392
#11 0x00000000006ab052 in BaselineCanEnterAtBranch (pc=0x7ffff697db3d "\343\202V", osrFrame=0x7fffffff9748, script=..., cx=0x7ffff6908800) at js/src/jit/Ion.cpp:2579
#12 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6908800, frame=frame@entry=0x7fffffff9748, pc=pc@entry=0x7ffff697db3d "\343\202V") at js/src/jit/Ion.cpp:2637
#13 0x0000000000610e77 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6908800, frame=0x7fffffff9748, stub=0x7ffff427c128, infoPtr=0x7fffffff9710) at js/src/jit/BaselineIC.cpp:142
#14 0x00007ffff7ff25d9 in ?? ()
#15 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff42812c0	140737289654976
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffff8e00	140737488326144
rsp	0x7fffffff8e00	140737488326144
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffff8bc0	140737488325568
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffff9140	140737488326976
r13	0x7fffffff9140	140737488326976
r14	0x7ffff42812c0	140737289654976
r15	0x7ffff42812c0	140737289654976
rip	0x43dde2 <js::jit::MBasicBlock::lastIns() const+28>
=> 0x43dde2 <js::jit::MBasicBlock::lastIns() const+28>:	movl   $0x17c,0x0
   0x43dded <js::jit::MBasicBlock::lastIns() const+39>:	callq  0x4ab6f0 <abort()>
Hannes maybe this is related to the topcrash?
Flags: needinfo?(hv1989)
Attached patch PatchSplinter Review
Probably not related. This is during GVN, while the topcrash is much earlier.

Fixes a few forgotten checks. This fixes the original problem, but not everything. Still digging into the remaining issue.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8740424 - Flags: review?(jdemooij)
(In reply to Hannes Verschore [:h4writer] from comment #2)
> Fixes a few forgotten checks. This fixes the original problem, but not
> everything. Still digging into the remaining issue.

Ok, this does fixes everything. Must have forgotten to compile after adding the last check.
Comment on attachment 8740424 [details] [diff] [review]
Patch

Review of attachment 8740424 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8740424 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/14af533af381
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.