Closed Bug 1284485 Opened 8 years ago Closed 8 years ago

Assertion failure: hasScript(), at js/src/jsfun.h:456 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1236098
Tracking Flags:
Tracking Status
firefox50 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1284485-codegen-mir.png
287.33 KB, image/png
Details 
The following testcase crashes on mozilla-central revision c9a70b64f2fa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

loadFile(`
  function assertEquivalent(t2) (true())
  try {
    h
  } catch (e) {}
  function f() {
    function f() {
      switch (f) {}
      assertEquivalent();
    }
    return f;
  }
  for (var j = 0; j < 5; j) 
    (function() f()())()
`);
function loadFile(lfVarx) {
    oomTest(Function(lfVarx))
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000045f610 in JSFunction::hasUncompiledScript (this=<optimized out>) at js/src/jsfun.h:456
#0  0x000000000045f610 in JSFunction::hasUncompiledScript (this=<optimized out>) at js/src/jsfun.h:456
#1  JSFunction::nonLazyScript (this=<optimized out>) at js/src/jsfun.h:461
#2  0x0000000000b517b9 in js::ScopeIter::settle (this=this@entry=0x7fffffffac10) at js/src/vm/ScopeObject.cpp:1484
#3  0x0000000000b51e3a in js::ScopeIter::operator++ (this=this@entry=0x7fffffffac10) at js/src/vm/ScopeObject.cpp:1515
#4  0x0000000000ac1f6b in js::UnwindAllScopesInFrame (cx=cx@entry=0x7ffff6965000, si=...) at js/src/vm/Interpreter.cpp:1025
#5  0x0000000000839f23 in js::jit::DebugEpilogue (cx=cx@entry=0x7ffff6965000, frame=frame@entry=0x7fffffffb4a8, pc=0x7ffff69b14a5 ":", ok=<optimized out>) at js/src/jit/VMFunctions.cpp:708
#6  0x000000000071b6ac in js::jit::OnLeaveBaselineFrame (frameOk=<optimized out>, rfe=<optimized out>, pc=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:463
#7  js::jit::HandleExceptionBaseline (pc=0x7ffff69b14a5 ":", rfe=<optimized out>, frame=..., cx=0x7ffff6965000) at js/src/jit/JitFrames.cpp:696
#8  js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:837
#9  0x00007ffff7fe6646 in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffac10	140737488333840
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffaad0	140737488333520
rsp	0x7fffffffaad0	140737488333520
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fdc740	140737353992000
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffac48	140737488333896
r13	0x7ffff7e95080	140737352650880
r14	0x1ca78e0	30046432
r15	0x1ca7ac0	30046912
rip	0x45f610 <JSFunction::nonLazyScript() const+48>
=> 0x45f610 <JSFunction::nonLazyScript() const+48>:	movl   $0x0,0x0
   0x45f61b <JSFunction::nonLazyScript() const+59>:	ud2
maybe related to bug 1236098 ? we see this assertion also on some live sites with bughunter
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292
user:        Nicolas B. Pierron
date:        Tue May 17 17:15:52 2016 +0000
summary:     Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. r=jandem,jorendorff,shu

This iteration took 0.811 seconds to run.
Flags: needinfo?(nicolas.b.pierron)
Flags: needinfo?(nicolas.b.pierron)
(In reply to Carsten Book [:Tomcat] from comment #1)
> maybe related to bug 1236098 ? we see this assertion also on some live sites
> with bughunter

This is likely.

I traced this issue, from the assert, to the bailout, and back to the codegen (thanks to rr).

The "scope_" value used in js::ScopeIter::settle, comes from a baseline frame.  This value is the result of a bailout, at a MGetNameCache (id 24) OSI Point, and is equal to the value returned by MFunctionEnvironment (id 23).  This instructions returns the environment of the MLambda (id 15), thus its MCallObject (id 12).

From the "scope_", we look for the "callee()", which is set by the MStoreFixedSlot (id 14), with the value returned by the MLoadFixedSlot (id 6).  This corresponds to a GetAliasedVar {hops = 0; slot = 3}.  This MIR Graph represents the compiled code of the anonymous lambda function which is in the for-loop, thus this GetAliasedVar is supposed to be for the name "f". 

The assertion fails because the hasScript() function returns false.  I tracked down the "flags_" field of it, and it got created in generated assembly code, probably by some MLambda of the generated function.  The problem is that the flag_ is still set to INTERPRETED_LAZY while we expect it to be INTERPRETED.

The problem is that this assertion assumes that if we are evaluating the callee() of the scope chain, we would have a delazified function.  Which is a sound assumption knowing that we inlined its body in Ion.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: