1414174 - [wasm] Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:294

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision b2f459b88cab (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/asm.js/oom-helper-thread-plus-validation-error.js
oomAfterAllocations(1, 2);
// Adapted from randomly chosen test: js/src/jit-test/tests/wasm/streaming.js
var x = wasmTextToBinary('(module (func (export "run") (result i32) i32.const 42))');
WebAssembly.compileStreaming(x);
drainJobQueue();

Backtrace:

Assertion failure: !cx->isExceptionPending(), at /home/gkwubu/trees/mozilla-central/js/src/jscntxtinlines.h:294

Thread 1 "js-dbg-64-linux" received signal SIGSEGV, Segmentation fault.
0x000000000055dfd8 in js::CallJSNative (cx=0x7ffff6976000, native=0x4532d0 <DrainJobQueue(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/gkwubu/trees/mozilla-central/js/src/jscntxtinlines.h:294
warning: Source file is more recent than executable.
294	        MOZ_ASSERT_IF(!alreadyThrowing, !cx->isExceptionPending());
(gdb) bt
#0  0x000000000055dfd8 in js::CallJSNative (cx=0x7ffff6976000, native=0x4532d0 <DrainJobQueue(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/gkwubu/trees/mozilla-central/js/src/jscntxtinlines.h:294
#1  0x000000000055258f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6976000, args=..., construct=construct@entry=js::NO_CONSTRUCT)
    at /home/gkwubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:472
#2  0x000000000055296d in InternalCall (cx=0x7ffff6976000, args=...) at /home/gkwubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:521
#3  0x0000000000552a9a in js::CallFromStack (cx=<optimized out>, args=...) at /home/gkwubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:527
#4  0x000000000063a3c3 in js::jit::DoCallFallback (cx=0x7ffff6976000, frame=0x7fffffffc558, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc518, res=...)
    at /home/gkwubu/trees/mozilla-central/js/src/jit/BaselineIC.cpp:2539
#5  0x00000d36068184cb in ?? ()
#6  0xfffe7ffff7e00340 in ?? ()
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b9053d53c1ca
user:        Luke Wagner
date:        Tue Oct 10 14:17:50 2017 -0500
summary:     Bug 1347644 - Baldr: shell WebAssembly.compileStreaming and instantiateStreaming (r=till)

Luke, is bug 1347644 a likely regressor?

Comment 3

[Luke Wagner [:luke]]

Quite; I'll look into this as soon as I have some free time.

Comment 4

[Luke Wagner [:luke]]

Attachment: fix-oom-bug

Two silly OOM-handling bugs caught here.

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8926175 [details] [diff] [review]
fix-oom-bug

Review of attachment 8926175 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 6

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/babcc25a10ea
Baldr: fix OOM handling in compileStreaming (r=bbouvier)

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out for failing Jit's tests/jit-test/jit-test/tests/wasm/regress/oom-wasm-streaming.js:

https://hg.mozilla.org/integration/mozilla-inbound/rev/5b1e338684c7fee1512606f4aedad79d87a39280

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=143103423&repo=mozilla-inbound
TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/wasm/regress/oom-wasm-streaming.js | /builds/worker/workspace/build/tests/jit-test/jit-test/tests/wasm/regress/oom-wasm-streaming.js:1:1 ReferenceError: oomAfterAllocations is not defined (code 3, args "") [0.1 s]
...

Comment 8

[Luke Wagner [:luke]]

Arg, just when I think I have something simple enough that I don't need to try-server...

Comment 9

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b592e6f5ac17
Baldr: fix OOM handling in compileStreaming (r=bbouvier)

Comment 10

[Natalia Csoregi [:nataliaCs]]

Backed out 1 changesets (bug 1414174) for bustage oom-wasm-streaming.js

Backout https://hg.mozilla.org/integration/mozilla-inbound/rev/c7095faa0112874e1804e2efad70699e5021eb53 

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=b592e6f5ac17d2868485016fd617d20fd834b50b&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=usercancel&filter-resultStatus=runnable&filter-resultStatus=retry

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=143131310&repo=mozilla-inbound&lineNumber=30242

Comment 11

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7fe2e79e4ef
Baldr: fix OOM handling in compileStreaming (r=bbouvier)

Comment 12

[Luke Wagner [:luke]]

D'oh, sorry again; --no-threads disables WebAssembly.compileStreaming.

Comment 13

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/f7fe2e79e4ef