Closed
Bug 1576865
Opened 5 years ago
Closed 5 years ago
Assertion failure: cx_->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:94 with ES6 Modules
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | --- | fixed |
People
(Reporter: decoder, Assigned: tcampbell)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision c75d6a0539eb (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
function loadFile(lfVarx) {
oomTest(function() {
parseModule(lfVarx);
});
}
var lfLogBuffer = `
function DrawLine(From, To) {
for (; i64 < NumPix; i64++) {
if (Num >= Den) {}
}
if (CurN[0][2] < 0) {
if (!Q89.Line[0]) { DrawLine(Q89[0], Q89[1]); Q89.Line[0] = true; };
if (!Q89.Line[1]) { DrawLine(Q89[1], Q89[2]); Q89.Line[1] = true; };
if (!Q89.Line[2]) { DrawLine(Q89[2], Q89[3]); Q89.Line[2] = true; };
if (!Q89.Line[3]) { DrawLine(Q89[3], Q89[0]); Q89.Line[3] = true; };
}
if (CurN[1][2] < 0) {
if (!Q89.Line[2]) { DrawLine(Q89[3], Q89[2]); Q89.Line[2] = true; };
if (!Q89.Line[9]) { DrawLine(Q89[2], Q89[6]); Q89.Line[9] = true; };
if (!Q89.Line[4]) { DrawLine(Q89[4], Q89[5]); Q89.Line[4] = true; };
if (!Q89.Line[5]) { DrawLine(Q89[5], Q89[6]); Q89.Line[5] = true; };
if (!Q89.Line[6]) { DrawLine(Q89[6], Q89[7]); Q89.Line[6] = true; };
if (!Q89.Line[7]) { DrawLine(Q89[7], Q89[4]); Q89.Line[7] = true; };
}
if (CurN[3][2] < 0) {
if (!Q89.Line[4]) { DrawLine(Q89[4], Q89[5]); Q89.Line[4] = true; };
if (!Q89.Line[8]) { DrawLine(Q89[5], Q89[1]); Q89.Line[8] = true; };
if (!Q89.Line[0]) { DrawLine(Q89[1], Q89[0]); Q89.Line[0] = true; };
if (!Q89.Line[11]) { DrawLine(Q89[0], Q89[4]); Q89.Line[11] = true; };
if (CurN[4][2] < 0) {
if (!Q89.Line[11]) { DrawLine(Q89[4], Q89[0]); Q89.Line[11] = true; };
if (!Q89.Line[3]) { DrawLine(Q89[0], Q89[3]); Q89.Line[3] = true; };
if (!Q89.Line[9]) { DrawLine(Q89[6], Q89[2]); Q89.Line[9] = true; };
if (!Q89.Line[1]) { DrawLine(Q89[2], Q89[1]); Q89.Line[1] = true; };
}
}
}
`;
loadFile(lfLogBuffer);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 AutoAssertReportedException::~AutoAssertReportedException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:94
#1 0x0000555555fad5fb in InternalParseModule<char16_t> (cx=cx@entry=0x7ffff5f23000, optionsInput=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:796
#2 0x0000555555fadade in js::frontend::ParseModule (sourceObjectOut=0x0, srcBuf=..., optionsInput=..., cx=0x7ffff5f23000) at js/src/frontend/BytecodeCompiler.cpp:821
#3 CreateModule<char16_t> (srcBuf=..., options=..., cx=0x7ffff5f23000) at js/src/frontend/BytecodeCompiler.cpp:841
#4 js::frontend::CompileModule (cx=0x7ffff5f23000, options=..., srcBuf=...) at js/src/frontend/BytecodeCompiler.cpp:859
#5 0x0000555555848ae6 in ParseModule (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4765
[...]
#10 0x0000000000000000 in ?? ()
rax 0x555557d10120 93825033896224
rbx 0x7ffff5f23000 140737319677952
rcx 0x555556cf03a8 93825016988584
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffaa00 140737488333312
rsp 0x7fffffffa9f0 140737488333296
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffaab0 140737488333488
r13 0x7ffff5f23000 140737319677952
r14 0x0 0
r15 0x0 0
rip 0x555555fb0acd <AutoAssertReportedException::~AutoAssertReportedException()+93>
=> 0x555555fb0acd <AutoAssertReportedException::~AutoAssertReportedException()+93>: movl $0x0,0x0
0x555555fb0ad8 <AutoAssertReportedException::~AutoAssertReportedException()+104>: ud2
This is a longer standing issue that was really hard to reproduce until we found a suitable testcase now.
|
||
Updated•5 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•5 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/adac722a3dfc
user: Matthew Gaudet
date: Tue Aug 06 20:52:26 2019 +0000
summary: Bug 1567579 - Defer allocation of LazyScript to after parsing r=tcampbell
This iteration took 453.769 seconds to run.
Matthew, is bug 1567579 a likely regressor?
Flags: needinfo?(mgaudet)
Regressed by: 1567579
|
Assignee | |
Comment 3•5 years ago
|
||
I can reproduce. I'll take a look since Matt is still away.
Assignee: nobody → tcampbell
Flags: needinfo?(mgaudet)
Priority: -- → P1
|
|
Assignee | |
Comment 4•5 years ago
|
||
The issue is that we are seeing an OOM and not calling ReportOutOfMemory.
|
|
Assignee | |
Comment 5•5 years ago
|
||
The closedOverBinding set uses the SystemAllocPolicy so we must manually
raise OOM exceptions.
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/48fe03f87287
Add missing call to ReportOutOfMemory in LazyScriptCreationData. r=jwalden
|
||
Comment 7•5 years ago
|
||
Backed out changeset 48fe03f87287 (Bug 1576865) for spidermonkey bustages at bug-1576865-1.js:46:1
Backout: https://hg.mozilla.org/integration/autoland/rev/98d279815d44949d46d21b934fd8f3ab49600d2c
Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&revision=48fe03f8728791a5a40e12d6223cacc2c2b4a96b&selectedJob=263737311
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263737311&repo=autoland&lineNumber=38077
Flags: needinfo?(tcampbell)
|
|
Assignee | |
Comment 8•5 years ago
|
||
Test case needed to check for 'oomTest'. Re-running tests now, but the change is only test annotation.
Flags: needinfo?(tcampbell)
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/afe2efc57104
Add missing call to ReportOutOfMemory in LazyScriptCreationData. r=jwalden
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Keywords: regression
|
||
Updated•5 years ago
|
status-firefox68:
--- → unaffected
status-firefox69:
--- → unaffected
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite+
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•