1368570 - Assertion failure: co.script() != script, at js/src/vm/TypeInference.cpp:1432 with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision ebad93e11770 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-extra-checks):

var lfLogBuffer = `
var lfLogBufferx = \`
x
y
\`;
lfLogBufferx = lfLogBufferx.split('\\n');
while (true) {
    var line = lfLogBufferx.shift();
    if (line == null) break;
}
v = [, parseInt("123456789012345678") <<  
assertEq.loadFile().v()    
];
//corefuzz-dcd-endofdata
function testNaN(x) {
    assertEq(isNaN(x), true);
}
testNaN();
function testInfinity(x) {}
assertEq("flob" && this, true);
function testUndefined(x) {}
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else if (line == "//corefuzz-dcd-endofdata") {
        loadFile(lfCodeBuffer);
        lfCodeBuffer = "";
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    oomTest(function() { });
    oomTest(new Function(lfVarx));
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x08870056 in js::FinishCompilation (cx=0xf791d000, script=..., constraints=0xf5ab6108, precompileInfo=0xffffad00, isValidOut=0xffffacfe) at js/src/vm/TypeInference.cpp:1432
#0  0x08870056 in js::FinishCompilation (cx=0xf791d000, script=..., constraints=0xf5ab6108, precompileInfo=0xffffad00, isValidOut=0xffffacfe) at js/src/vm/TypeInference.cpp:1432
#1  0x0829c93d in js::jit::CodeGenerator::link (this=0xf5ac6000, cx=0xf791d000, constraints=0xf5ab6108) at js/src/jit/CodeGenerator.cpp:9893
#2  0x082b8495 in LinkCodeGen (cx=cx@entry=0xf791d000, builder=builder@entry=0xf5ab6150, codegen=0xf5ac6000) at js/src/jit/Ion.cpp:523
#3  0x0807318a in js::jit::IonCompile (cx=cx@entry=0xf791d000, script=<optimized out>, baselineFrame=baselineFrame@entry=0xffffb068, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2255
#4  0x0831ceed in js::jit::Compile (cx=cx@entry=0xf791d000, script=script@entry=..., osrFrame=osrFrame@entry=0xffffb068, osrPc=0x0, forceRecompile=false) at js/src/jit/Ion.cpp:2440
#5  0x0831d863 in BaselineCanEnterAtEntry (frame=0xffffb068, script=..., cx=0xf791d000) at js/src/jit/Ion.cpp:2569
#6  js::jit::IonCompileScriptForBaseline (cx=0xf791d000, frame=0xffffb068, pc=0xf7984a28 "\232") at js/src/jit/Ion.cpp:2692
#7  0x29b6ac94 in ?? ()
[...]
#11 0x29b68c66 in ?? ()
#12 0x0820c41e in EnterBaseline (cx=0x0, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
[...]
#17 0x08168e8a in js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534
#18 0x08562d76 in JS_CallFunction (cx=0xf791d000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2850
#19 0x08487c89 in OOMTest (cx=0xf791d000, argc=1, vp=0xf5e520b8) at js/src/builtin/TestingFunctions.cpp:1541
#20 0x08172ed6 in js::CallJSNative (cx=0xf791d000, native=0x84878c0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
[...]
#29 0x08230aef in js::jit::DoCallFallback (cx=0xf791d000, frame=0xffffbf78, stub_=0xf5fa9530, argc=1, vp=0xffffbf38, res=...) at js/src/jit/BaselineIC.cpp:2455
#30 0x29b6fd9c in ?? ()
#31 0xf5fa9530 in ?? ()
#32 0x29b68c66 in ?? ()
#33 0x0820c41e in EnterBaseline (cx=0x29b7174d, cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162
#34 0x0821ec74 in js::jit::EnterBaselineAtBranch (cx=0xf791d000, fp=0xf5e52018, pc=0xf7969b3c "\343\201C\b\377\377\377", <incomplete sequence \346\232>) at js/src/jit/BaselineJIT.cpp:268
#35 0x08167f6d in Interpret (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:1979
[...]
#44 Shell (envp=<optimized out>, op=0xffffcc20, cx=<optimized out>) at js/src/shell/js.cpp:8068
#45 main (argc=6, argv=0xffffcda4, envp=0xffffcdc0) at js/src/shell/js.cpp:8464
eax	0x0	0
ebx	0x8d55ff4	148201460
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xf7921000	-141422592
edi	0x1	1
ebp	0xffffac88	4294945928
esp	0xffffac00	4294945792
eip	0x8870056 <js::FinishCompilation(JSContext*, JS::Handle<JSScript*>, js::CompilerConstraintList*, js::RecompileInfo*, bool*)+630>
=> 0x8870056 <js::FinishCompilation(JSContext*, JS::Handle<JSScript*>, js::CompilerConstraintList*, js::RecompileInfo*, bool*)+630>:	movl   $0x0,0x0
   0x8870060 <js::FinishCompilation(JSContext*, JS::Handle<JSScript*>, js::CompilerConstraintList*, js::RecompileInfo*, bool*)+640>:	ud2    


Testcase is quite sensitive to reduction, wasn't able to break it down further.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/954eeda43262
user:        Jan de Mooij
date:        Fri Apr 21 10:05:12 2017 +0200
summary:     Bug 1357680 part 1 - Track Ion-inlined scripts explicitly so we can inline functions with unknown properties. r=bhackett

Probably related to bug 1357680?

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

FinishCompilation needs to follow the OOM handling strategy of the rest of the code (setting |succeeded| to false).

Comment 3

[Pulsebot]

Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c5cefe156423
Fix js::FinishCompilation to handle OOM correctly. r=nbp

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/c5cefe156423