1317329 - Assertion failure: mir->resumePoint(), at js/src/jit/shared/CodeGenerator-shared.cpp:1353 with OOM

Status: RESOLVED DUPLICATE of bug 1286505

(Core :: JavaScript Engine, defect, P3)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1196bf3032e1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

loadFile(`
function ExprArray(n,v) {
  for ( i = 0; i < n; i++) 
    this[i] = v;
}
function perfect(n) new ExprArray(n);
perfect(500);
`);
function loadFile(lfVarx) {
    oomTest(function() eval(lfVarx))
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::jit::CodeGeneratorShared::callVM (this=this@entry=0x7fffefd0c000, fun=..., ins=ins@entry=0x7fffefd1af10, dynStack=dynStack@entry=0x0) at js/src/jit/shared/CodeGenerator-shared.cpp:1353
#0  js::jit::CodeGeneratorShared::callVM (this=this@entry=0x7fffefd0c000, fun=..., ins=ins@entry=0x7fffefd1af10, dynStack=dynStack@entry=0x0) at js/src/jit/shared/CodeGenerator-shared.cpp:1353
#1  0x00000000005f67b2 in js::jit::CodeGenerator::visitOutOfLineStoreElementHole (this=0x7fffefd0c000, ool=<optimized out>) at js/src/jit/CodeGenerator.cpp:8496
#2  0x0000000000823772 in js::jit::CodeGeneratorShared::generateOutOfLineCode (this=this@entry=0x7fffefd0c000) at js/src/jit/shared/CodeGenerator-shared.cpp:183
#3  0x00000000008c4c38 in js::jit::CodeGeneratorX86Shared::generateOutOfLineCode (this=this@entry=0x7fffefd0c000) at js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:478
#4  0x000000000060847c in js::jit::CodeGenerator::generate (this=this@entry=0x7fffefd0c000) at js/src/jit/CodeGenerator.cpp:9390
#5  0x0000000000646d9a in js::jit::GenerateCode (mir=mir@entry=0x7fffefd10278, lir=0x7fffefd18750) at js/src/jit/Ion.cpp:2008
#6  0x00000000006b6ff6 in js::jit::CompileBackEnd (mir=mir@entry=0x7fffefd10278) at js/src/jit/Ion.cpp:2030
#7  0x00000000006b7afb in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffa828, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2304
#8  0x00000000006b8222 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffa828, osrPc=osrPc@entry=0x7ffff030a168 "\343\201;", forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2486
#9  0x00000000006b8ca0 in BaselineCanEnterAtBranch (pc=0x7ffff030a168 "\343\201;", osrFrame=0x7fffffffa828, script=..., cx=<optimized out>) at js/src/jit/Ion.cpp:2677
#10 js::jit::IonCompileScriptForBaseline (cx=0x7ffff695f000, frame=frame@entry=0x7fffffffa828, pc=pc@entry=0x7ffff030a168 "\343\201;") at js/src/jit/Ion.cpp:2735
#11 0x0000000000ec33d2 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff695f000, frame=0x7fffffffa828, stub=0x7fffefd0b2f8, infoPtr=0x7fffffffa7f8) at js/src/jit/BaselineIC.cpp:143
#12 0x00007ffff7e3db24 in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax	0x20187c0	33654720
rbx	0x11e5350	18764624
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa0d0	140737488330960
rsp	0x7fffffff9f30	140737488330544
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffefd154e8	140737216861416
r13	0x7fffefd24464	140737216922724
r14	0x7fffefd1af90	140737216884624
r15	0x201a6a0	33662624
rip	0x82a68f <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3055>
=> 0x82a68f <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3055>:	movl   $0x0,0x0
   0x82a69a <js::jit::CodeGeneratorShared::callVM(js::jit::VMFunction const&, js::jit::LInstruction*, js::jit::Register const*)+3066>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

This iteration took 0.288 seconds to run.

Comment 2

[Jan de Mooij [:jandem]]

Nicolas, what's the status here?

Comment 3

[Nicolas B. Pierron [:nbp]]

(In reply to Jan de Mooij [:jandem] from comment #2)
> Nicolas, what's the status here?

This is in my TODO list, and I would not able to get to it in the up coming month because of other priorities.

Comment 4

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision aa3e49299a3a).

Comment 5

[Julien Cristau [:jcristau]]

Too late for firefox 52, mass-wontfix.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Iain, this seems oom/oomTest-related, do you mind taking a look?

Comment 7

[Iain Ireland [:iain]]

This was fixed as part of bug 1286505. Prior to that patch, we had this code in IonBuilder::jsop_setelem:

         if (!setElemTryDense(&emitted, object, index, value, writeHole) || emitted)
             return emitted;

It was possible for setElemTryDense to set the emitted flag and then fail on a subsequent allocation: in this case, the allocation for the resume point. If that happened, we would inadvertently swallow the exception and continue with a null resume point. Eventually we would assert.

After patch 2 in bug 1286505, we have this, which avoids the bug:
         MOZ_TRY(setElemTryDense(&emitted, object, index, value, writeHole));
         if (emitted)
             return Ok();

Closing as duplicate of 1286505.