As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 914601 - Assertion failure: ok, at ../vm/GlobalObject.h:415 with OOM and ParallelArray
: Assertion failure: ok, at ../vm/GlobalObject.h:415 with OOM and ParallelArray
Status: RESOLVED FIXED
[jsbugmon:update]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla26
Assigned To: Till Schneidereit [till]
: general
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928 872823
  Show dependency treegraph
 
Reported: 2013-09-10 05:56 PDT by Christian Holler (:decoder)
Modified: 2013-09-12 04:15 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
[crash-signature] Machine-readable crash signature (619 bytes, text/plain)
2013-09-10 05:59 PDT, Christian Holler (:decoder)
no flags Details
Remove non-required, crashing-on-oom assert in GlobalObject::getIntrinsicValue. (1.37 KB, patch)
2013-09-11 05:43 PDT, Till Schneidereit [till]
terrence.d.cole: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2013-09-10 05:56:59 PDT
The following testcase asserts on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe --ion-eager):


oomAfterAllocations(51);
var p = new ParallelArray([1,2,3,4]);
Comment 1 User image Christian Holler (:decoder) 2013-09-10 05:59:19 PDT
Created attachment 802268 [details]
[crash-signature] Machine-readable crash signature
Comment 2 User image Christian Holler (:decoder) 2013-09-10 06:01:12 PDT
I'm seeing this assertion very frequently, but stacks vary. I'll try to figure out if there are more tests. At least one stack contains Intl instead of ParallelArray, others contain neither one nor the other.
Comment 3 User image Christian Holler (:decoder) 2013-09-10 10:03:06 PDT
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/23dda916c3d0
user:        Shu-yu Guo
date:        Sat May 11 22:39:46 2013 -0700
summary:     Bug 860965 - Part 1: Copy 1D ParallelArray operations to Array. (r=luke,nmatsakis)

This iteration took 327.077 seconds to run.
Comment 4 User image Jeff Walden [:Waldo] (remove +bmo to email) 2013-09-10 10:42:18 PDT
The assert is that a JS_DefineProperty in GlobalObject::getSelfHostedValue or whichever never fails.  Why we're asserting this, when the method has a perfectly reasonable bool failure return that could be propagated, I'm not entirely sure.
Comment 5 User image Till Schneidereit [till] 2013-09-10 11:02:22 PDT
The best explanation I can come up with is luke's request to add an assert that *getting* a self-hosted function succeeded: https://bugzilla.mozilla.org/show_bug.cgi?id=462300#c56

This then morphed (through emergent behavior nobody's responsible for) into the current weird construct. Will attach a patch to cut back the uncontrolled growth.
Comment 6 User image Terrence Cole [:terrence] 2013-09-10 12:07:30 PDT
Thanks for taking this OOM bug, Till!
Comment 7 User image Till Schneidereit [till] 2013-09-11 05:43:09 PDT
Created attachment 802967 [details] [diff] [review]
Remove non-required, crashing-on-oom assert in GlobalObject::getIntrinsicValue.

Just removing this should be fine and all that's needed
Comment 8 User image Terrence Cole [:terrence] 2013-09-11 09:00:06 PDT
Comment on attachment 802967 [details] [diff] [review]
Remove non-required, crashing-on-oom assert in GlobalObject::getIntrinsicValue.

Review of attachment 802967 [details] [diff] [review]:
-----------------------------------------------------------------

Yup. r=me
Comment 9 User image Till Schneidereit [till] 2013-09-11 14:10:17 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/38bcba92aa14

Thanks for the quick review.
Comment 10 User image Ed Morley [:emorley] 2013-09-12 04:15:27 PDT
https://hg.mozilla.org/mozilla-central/rev/38bcba92aa14

Note You need to log in before you can comment on or make changes to this bug.