JS OOM Testing: Assertion failure: cx->isExceptionPending() || cx->runtime->hadOutOfMemory, at methodjit/Compiler.cpp:1010

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

({assertion, testcase})

Trunk
mozilla14
x86_64
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

6 years ago
The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 7441 -f js/src/jit-test/tests/basic/bug621022-2.js


Here's the full backtrace of the last failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x44c9b1) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x45dce5) (JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:411)
#2 js/src/debug64-trunk/js(+0x44f054) (js_NewGCObject(JSContext*, js::gc::AllocKind) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:462)
#3 js/src/debug64-trunk/js(+0x451bcd) (js::NewObjectCache::newObjectFromHit(JSContext*, int) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsobjinlines.h:1650)
#4 js/src/debug64-trunk/js(+0x461b94) (JSObject* js::NewArray<false>(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3772)
#5 js/src/debug64-trunk/js(+0x45d725) (js::NewDenseUnallocatedArray(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3841)
#6 js/src/debug64-trunk/js(+0x6d326e) (js::mjit::Compiler::jsop_newinit() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:6866)
#7 js/src/debug64-trunk/js(+0x6c06ac) (js::mjit::Compiler::generateMethod() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:2874)
#8 js/src/debug64-trunk/js(+0x6b4b76) (js::mjit::Compiler::performCompilation() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:550)
#9 js/src/debug64-trunk/js(+0x6b37ad) (js::mjit::Compiler::compile() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:150)
#10 js/src/debug64-trunk/js(+0x6b6b33) (js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:997)
#11 js/src/debug64-trunk/js(+0x5049ce) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:1777)
#12 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079)
Created attachment 613629 [details] [diff] [review]
patch

JSObject::createDenseArray reports OOM on failure, but not JSObject::create or NewObjectFromCacheHit.  Make things consistent.
Attachment #613629 - Flags: review?(luke)

Comment 2

5 years ago
Comment on attachment 613629 [details] [diff] [review]
patch

It is rather unfortunate that they take a 'cx' and don't throw.
Attachment #613629 - Flags: review?(luke) → review+
Actually, it looks like ArenaLists::refillFreeList does report on OOM, and that the problem is in the JS_OOM_POSSIBLY_FAIL in jsgcinlines.h.  Christian, can you change this so that it calls js_ReportOutOfMemory(cx) when the OOM trigger is hit?
Attachment #613629 - Attachment is obsolete: true
(Assignee)

Comment 4

5 years ago
Created attachment 613803 [details] [diff] [review]
Patch

Patch that introduces a second macro that also calls js_ReportOutOfMemory with the given context. Currently only used in jsgcinlines then.
Assignee: general → choller
Status: NEW → ASSIGNED
Attachment #613803 - Flags: review?(bhackett1024)
Attachment #613803 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 5

5 years ago
Trying out this new autoland feature now before asking Gary to land this for me :D
Whiteboard: [autoland-try]

Updated

5 years ago
Whiteboard: [autoland-try] → [autoland-in-queue]

Comment 6

5 years ago
Autoland Patchset:
	Patches: 613803
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=93bf36c6da64
Try run started, revision 93bf36c6da64. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64

Comment 7

5 years ago
Try run for 93bf36c6da64 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64
Results (out of 15 total builds):
    exception: 8
    failure: 7
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-93bf36c6da64

Updated

5 years ago
Whiteboard: [autoland-in-queue]
(Assignee)

Comment 8

5 years ago
Created attachment 614758 [details] [diff] [review]
Updated patch

Fixed patch, nothing to see here, move along (or: breaking builds - like a boss).
Attachment #613803 - Attachment is obsolete: true
Attachment #614758 - Flags: review+
(Assignee)

Updated

5 years ago
Whiteboard: [autoland-try]

Updated

5 years ago
Whiteboard: [autoland-try] → [autoland-in-queue]

Comment 9

5 years ago
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.

Updated

5 years ago
Whiteboard: [autoland-in-queue]

Updated

5 years ago
Attachment #614758 - Flags: review+
(Assignee)

Updated

5 years ago
Whiteboard: [autoland-try]

Updated

5 years ago
Whiteboard: [autoland-try] → [autoland-in-queue]

Comment 10

5 years ago
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.

Updated

5 years ago
Whiteboard: [autoland-in-queue]
(Assignee)

Comment 11

5 years ago
Once more, now with fixed privileges :)
Whiteboard: [autoland-try]

Updated

5 years ago
Whiteboard: [autoland-try] → [autoland-in-queue]

Comment 12

5 years ago
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=006f8487b8ac
Try run started, revision 006f8487b8ac. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac

Comment 13

5 years ago
Try run for 006f8487b8ac is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac
Results (out of 15 total builds):
    success: 15
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-006f8487b8ac

Updated

5 years ago
Whiteboard: [autoland-in-queue]
http://hg.mozilla.org/integration/mozilla-inbound/rev/cc905c76d8d5
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/cc905c76d8d5
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.