Last Comment Bug 917759 - Assertion failure: !cx->isExceptionPending(), at jit/IonBuilder.cpp:3779 with OOM
: Assertion failure: !cx->isExceptionPending(), at jit/IonBuilder.cpp:3779 with...
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: mozilla27
Assigned To: Brian Hackett (:bhackett)
: general
: Jason Orendorff [:jorendorff]
Depends on: 924611
Blocks: langfuzz 912928 872823
  Show dependency treegraph
Reported: 2013-09-18 05:26 PDT by Christian Holler (:decoder)
Modified: 2013-11-13 12:25 PST (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

[crash-signature] Machine-readable crash signature (785 bytes, text/plain)
2013-09-18 05:30 PDT, Christian Holler (:decoder)
no flags Details

Description User image Christian Holler (:decoder) 2013-09-18 05:26:18 PDT
The following testcase asserts on mozilla-central revision ab4ccf3d6b60 (run with --fuzzing-safe --ion-eager):

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function A(a) { this.a = a; }
function B(b) { this.b = b; }
function C(c) { this.c = c; }
function makeArray(n) {
    var classes = [A, B, C];
    var arr = [];
    for (var i = 0; i < n; i++) {
        arr.push(new classes[i % 3](i % 3));
var arr = makeArray(30000);
Comment 1 User image Christian Holler (:decoder) 2013-09-18 05:30:09 PDT
Created attachment 806583 [details]
[crash-signature] Machine-readable crash signature
Comment 2 User image Christian Holler (:decoder) 2013-09-18 05:31:39 PDT
Just hit this OOM error again and since the other isExceptionPending assertion has been fixed, this must be something new.
Comment 3 User image Christian Holler (:decoder) 2013-09-18 08:57:10 PDT
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Hannes Verschore
date:        Fri Jan 04 17:11:32 2013 +0100
summary:     Bug 825705: Creating this on caller-side shouldn't query prototype for unknown objects, r=jandem

This iteration took 124.057 seconds to run.
Comment 4 User image Christian Holler (:decoder) 2013-09-22 03:56:32 PDT
Hannes, can you look at this one?
Comment 5 User image Hannes Verschore [:h4writer] 2013-09-28 09:46:15 PDT
Kannan, can you have a look? I think we have an pending exception in the parent before inlining. At least I see no reason why that wouldn't be possible. So this assert needs to get deleted, maybe handled like the check you introduced after inlining?
Comment 6 User image Hannes Verschore [:h4writer] 2013-09-28 09:47:03 PDT
(In reply to Christian Holler (:decoder) from comment #4)
> Hannes, can you look at this one?

Sorry about the delay in checking this, but was on Holiday...
Comment 7 User image Christian Holler (:decoder) 2013-10-14 19:38:07 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ddd03c32fab1).
Comment 8 User image Hannes Verschore [:h4writer] 2013-10-27 06:01:19 PDT
Is it normal it takes so long to bisect the range to find the fix?
Comment 9 User image Christian Holler (:decoder) 2013-11-05 13:15:59 PST
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
user:        Brian Hackett
date:        Mon Oct 14 12:13:41 2013 -0600
summary:     Bug 924611 - Don't create lazy type objects and type properties in IonBuilder, r=jandem.

This iteration took 417.636 seconds to run.
Comment 10 User image Hannes Verschore [:h4writer] 2013-11-13 01:56:49 PST
Brian: do you think this could have solved this issue? I don't see a change that could be linked with the introduction of the bug. Or do you think this has only hidden the problem?
Comment 11 User image Brian Hackett (:bhackett) 2013-11-13 06:08:51 PST
Yeah, since IonBuilder doesn't use a cx anymore except for limited cases in the definite properties analysis it doesn't create many exceptions anymore.

Note You need to log in before you can comment on or make changes to this bug.