Closed
Bug 1263895
Opened 8 years ago
Closed 8 years ago
Assertion failure: hasLastIns(), at js/src/jit/MIRGraph.h:380 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: h4writer)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.04 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-offthread-compile=off): lfLogBuffer = ` function f (n) { while (!inIon()) { let x = {} for (var i = 0; i < n; i++) ; } } f(300) ` lfLogBuffer = lfLogBuffer.split('\n') lfCodeBuffer = 0 while (1) { line = lfLogBuffer.shift() if (line == null) break loadFile() lfCodeBuffer += line + "\n" } loadFile(lfCodeBuffer) function loadFile(lfVarx) oomTest(function() eval(lfVarx)); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x000000000043dde2 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:380 #0 0x000000000043dde2 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:380 #1 0x00000000006ad028 in js::jit::MBasicBlock::lastIns (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:377 #2 0x0000000000769391 in js::jit::MBasicBlock::numSuccessors (this=this@entry=0x7ffff42812c0) at js/src/jit/MIRGraph.cpp:1415 #3 0x00000000008256d6 in isLoopBackedge (this=0x7ffff42812c0) at js/src/jit/MIRGraph.h:453 #4 js::jit::ValueNumberer::visitDominatorTree (this=this@entry=0x7fffffff9140, dominatorRoot=dominatorRoot@entry=0x7ffff42812c0) at js/src/jit/ValueNumbering.cpp:1022 #5 0x00000000008259df in js::jit::ValueNumberer::visitGraph (this=this@entry=0x7fffffff9140) at js/src/jit/ValueNumbering.cpp:1069 #6 0x0000000000825bb7 in js::jit::ValueNumberer::run (this=this@entry=0x7fffffff9140, updateAliasAnalysis=updateAliasAnalysis@entry=js::jit::ValueNumberer::UpdateAliasAnalysis) at js/src/jit/ValueNumbering.cpp:1238 #7 0x00000000006a8b69 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff4272270) at js/src/jit/Ion.cpp:1634 #8 0x00000000006a900f in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff4272270) at js/src/jit/Ion.cpp:1958 #9 0x00000000006a9e13 in js::jit::IonCompile (cx=cx@entry=0x7ffff6908800, script=script@entry=0x7ffff4499f30, baselineFrame=baselineFrame@entry=0x7fffffff9748, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Normal) at js/src/jit/Ion.cpp:2225 #10 0x00000000006aa59c in js::jit::Compile (cx=0x7ffff6908800, script=..., script@entry=..., osrFrame=osrFrame@entry=0x7fffffff9748, osrPc=osrPc@entry=0x7ffff697db3d "\343\202V", constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2392 #11 0x00000000006ab052 in BaselineCanEnterAtBranch (pc=0x7ffff697db3d "\343\202V", osrFrame=0x7fffffff9748, script=..., cx=0x7ffff6908800) at js/src/jit/Ion.cpp:2579 #12 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6908800, frame=frame@entry=0x7fffffff9748, pc=pc@entry=0x7ffff697db3d "\343\202V") at js/src/jit/Ion.cpp:2637 #13 0x0000000000610e77 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6908800, frame=0x7fffffff9748, stub=0x7ffff427c128, infoPtr=0x7fffffff9710) at js/src/jit/BaselineIC.cpp:142 #14 0x00007ffff7ff25d9 in ?? () #15 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff42812c0 140737289654976 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff8e00 140737488326144 rsp 0x7fffffff8e00 140737488326144 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffff8bc0 140737488325568 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffffff9140 140737488326976 r13 0x7fffffff9140 140737488326976 r14 0x7ffff42812c0 140737289654976 r15 0x7ffff42812c0 140737289654976 rip 0x43dde2 <js::jit::MBasicBlock::lastIns() const+28> => 0x43dde2 <js::jit::MBasicBlock::lastIns() const+28>: movl $0x17c,0x0 0x43dded <js::jit::MBasicBlock::lastIns() const+39>: callq 0x4ab6f0 <abort()>
Assignee | ||
Comment 2•8 years ago
|
||
Probably not related. This is during GVN, while the topcrash is much earlier. Fixes a few forgotten checks. This fixes the original problem, but not everything. Still digging into the remaining issue.
Assignee | ||
Comment 3•8 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #2) > Fixes a few forgotten checks. This fixes the original problem, but not > everything. Still digging into the remaining issue. Ok, this does fixes everything. Must have forgotten to compile after adding the last check.
Comment 4•8 years ago
|
||
Comment on attachment 8740424 [details] [diff] [review] Patch Review of attachment 8740424 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8740424 -
Flags: review?(jdemooij) → review+
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/14af533af381
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
You need to log in
before you can comment on or make changes to this bug.
Description
•