Last Comment Bug 734976 - JS OOM Testing: Assertion failure: cx->isExceptionPending() || cx->runtime->hadOutOfMemory, at methodjit/Compiler.cpp:1010
: JS OOM Testing: Assertion failure: cx->isExceptionPending() || cx->runtime->h...
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla14
Assigned To: Christian Holler (:decoder)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-12 12:13 PDT by Christian Holler (:decoder)
Modified: 2012-04-15 04:37 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.87 KB, patch)
2012-04-10 09:03 PDT, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Review
Patch (1.85 KB, patch)
2012-04-10 15:44 PDT, Christian Holler (:decoder)
bhackett1024: review+
Details | Diff | Review
Updated patch (1.86 KB, patch)
2012-04-13 06:23 PDT, Christian Holler (:decoder)
choller: review+
jdemooij: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-03-12 12:13:57 PDT
The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 7441 -f js/src/jit-test/tests/basic/bug621022-2.js


Here's the full backtrace of the last failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x44c9b1) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x45dce5) (JSObject* js::gc::NewGCThing<JSObject>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:411)
#2 js/src/debug64-trunk/js(+0x44f054) (js_NewGCObject(JSContext*, js::gc::AllocKind) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:462)
#3 js/src/debug64-trunk/js(+0x451bcd) (js::NewObjectCache::newObjectFromHit(JSContext*, int) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsobjinlines.h:1650)
#4 js/src/debug64-trunk/js(+0x461b94) (JSObject* js::NewArray<false>(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3772)
#5 js/src/debug64-trunk/js(+0x45d725) (js::NewDenseUnallocatedArray(JSContext*, unsigned int, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsarray.cpp:3841)
#6 js/src/debug64-trunk/js(+0x6d326e) (js::mjit::Compiler::jsop_newinit() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:6866)
#7 js/src/debug64-trunk/js(+0x6c06ac) (js::mjit::Compiler::generateMethod() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:2874)
#8 js/src/debug64-trunk/js(+0x6b4b76) (js::mjit::Compiler::performCompilation() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:550)
#9 js/src/debug64-trunk/js(+0x6b37ad) (js::mjit::Compiler::compile() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:150)
#10 js/src/debug64-trunk/js(+0x6b6b33) (js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/Compiler.cpp:997)
#11 js/src/debug64-trunk/js(+0x5049ce) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:1777)
#12 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079)
Comment 1 Brian Hackett (:bhackett) 2012-04-10 09:03:46 PDT
Created attachment 613629 [details] [diff] [review]
patch

JSObject::createDenseArray reports OOM on failure, but not JSObject::create or NewObjectFromCacheHit.  Make things consistent.
Comment 2 Luke Wagner [:luke] 2012-04-10 09:35:55 PDT
Comment on attachment 613629 [details] [diff] [review]
patch

It is rather unfortunate that they take a 'cx' and don't throw.
Comment 3 Brian Hackett (:bhackett) 2012-04-10 12:53:33 PDT
Actually, it looks like ArenaLists::refillFreeList does report on OOM, and that the problem is in the JS_OOM_POSSIBLY_FAIL in jsgcinlines.h.  Christian, can you change this so that it calls js_ReportOutOfMemory(cx) when the OOM trigger is hit?
Comment 4 Christian Holler (:decoder) 2012-04-10 15:44:11 PDT
Created attachment 613803 [details] [diff] [review]
Patch

Patch that introduces a second macro that also calls js_ReportOutOfMemory with the given context. Currently only used in jsgcinlines then.
Comment 5 Christian Holler (:decoder) 2012-04-13 05:06:15 PDT
Trying out this new autoland feature now before asking Gary to land this for me :D
Comment 6 Mozilla RelEng Bot 2012-04-13 05:11:10 PDT
Autoland Patchset:
	Patches: 613803
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=93bf36c6da64
Try run started, revision 93bf36c6da64. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64
Comment 7 Mozilla RelEng Bot 2012-04-13 06:15:50 PDT
Try run for 93bf36c6da64 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=93bf36c6da64
Results (out of 15 total builds):
    exception: 8
    failure: 7
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-93bf36c6da64
Comment 8 Christian Holler (:decoder) 2012-04-13 06:23:04 PDT
Created attachment 614758 [details] [diff] [review]
Updated patch

Fixed patch, nothing to see here, move along (or: breaking builds - like a boss).
Comment 9 Mozilla RelEng Bot 2012-04-13 06:26:26 PDT
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.
Comment 10 Mozilla RelEng Bot 2012-04-13 06:45:09 PDT
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
Insufficient permissions to push to try.
Comment 11 Christian Holler (:decoder) 2012-04-14 08:14:28 PDT
Once more, now with fixed privileges :)
Comment 12 Mozilla RelEng Bot 2012-04-14 08:17:50 PDT
Autoland Patchset:
	Patches: 614758
	Branch: mozilla-central => try
	Destination: http://hg.mozilla.org/try/pushloghtml?changeset=006f8487b8ac
Try run started, revision 006f8487b8ac. To cancel or monitor the job, see: https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac
Comment 13 Mozilla RelEng Bot 2012-04-14 11:30:30 PDT
Try run for 006f8487b8ac is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=006f8487b8ac
Results (out of 15 total builds):
    success: 15
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/autolanduser@mozilla.com-006f8487b8ac
Comment 14 Gary Kwong [:gkw] [:nth10sd] 2012-04-14 11:38:52 PDT
http://hg.mozilla.org/integration/mozilla-inbound/rev/cc905c76d8d5

Note You need to log in before you can comment on or make changes to this bug.