Closed
Bug 925146
Opened 11 years ago
Closed 11 years ago
Crash [@ js::types::TypeObjectKey::unknownProperties] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(2 files)
The attached testcase crashes on mozilla-central revision 64b497e6f593 (run with --fuzzing-safe --ion-eager).
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
Please kill it with fire before it lays eggs. Thanks :)
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Comment 4•11 years ago
|
||
On 64bit I'm getting the correct OOM exception and on 32bit it's completing successfully. I used the following configury:
CC="gcc -m64" CXX="g++ -m64" ./configure --enable-optimize --enable-debug --enable-debug-symbols --enable-valgrind --enable-gczeal --enable-more-deterministic --enable-methodjit --enable-type-inference --enable-profiling --without-intl-api --disable-tests
I don't know enough about this code to infer what might be going on from the stack alone. Forwarding to Brian, who may have a better idea.
Flags: needinfo?(terrence) → needinfo?(bhackett1024)
|
||
Comment 6•11 years ago
|
||
Perhaps the stack in comment 1 doesn't suffice, gdb stack needed?
Flags: needinfo?(choller)
|
||
Comment 7•11 years ago
|
||
Yeah, it would be good to get a full gdb stack with a specified revision, especially when hitting a crash rather than an assertion failure. There are currently some MOZ_CRASH()'es which will be triggered by OOM in functions around here, which will largely go away when bug 924611 lands.
|
|
Reporter | |
Comment 8•11 years ago
|
||
Stack:
Program received signal SIGSEGV, Segmentation fault.
0x082e9df6 in js::types::TypeObjectKey::unknownProperties (this=<optimized out>) at js/src/jsinfer.cpp:687
687 MOZ_CRASH();
(gdb) bt
#0 0x082e9df6 in js::types::TypeObjectKey::unknownProperties (this=<optimized out>) at js/src/jsinfer.cpp:687
#1 0x082e1272 in js::types::TypeObjectKey::unknownProperties (this=0xf7932421) at js/src/jsinfer.cpp:686
#2 0x084aad10 in getSingletonPrototype (target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4610
#3 js::jit::IonBuilder::createThisScriptedSingleton (this=0x936c8b0, target=0xf7932420, callee=0x936d368) at js/src/jit/IonBuilder.cpp:4623
#4 0x084abbdd in createThis (callee=0x936d368, target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4675
#5 js::jit::IonBuilder::makeCallHelper (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5129
#6 0x084b0317 in js::jit::IonBuilder::makeCall (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5203
#7 0x084cbcbb in js::jit::IonBuilder::jsop_call (this=0x936c8b0, argc=4, constructing=true) at js/src/jit/IonBuilder.cpp:4955
#8 0x084cd748 in js::jit::IonBuilder::inspectOpcode (this=0x936c8b0, op=JSOP_NEW) at js/src/jit/IonBuilder.cpp:1471
#9 0x084c503f in js::jit::IonBuilder::traverseBytecode (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:1165
#10 0x084ce05e in js::jit::IonBuilder::build (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:605
#11 0x0848be32 in IonCompile (executionMode=js::SequentialExecution, constructing=2, osrPc=0x0, baselineFrame=0x0, script=0xf792cf80, cx=0x9350c88) at js/src/jit/Ion.cpp:1612
And here's a stack for the out of memory, maybe that helps even more:
Breakpoint 1, js_ReportOutOfMemory (cxArg=0x9350c88) at js/src/jscntxt.cpp:351
351 {
(gdb) bt
#0 js_ReportOutOfMemory (cxArg=0x9350c88) at js/src/jscntxt.cpp:351
#1 0x082d41aa in js::gc::ArenaLists::refillFreeList<(js::AllowGC)1> (cx=0x9350c88, thingKind=js::gc::FINALIZE_SCRIPT) at js/src/jsgc.cpp:1568
#2 0x0836f710 in NewGCThing<JSScript, (js::AllowGC)1> (cx=0x9350c88, kind=<optimized out>, thingSize=<optimized out>, heap=<optimized out>) at ../jsgcinlines.h:450
#3 js_NewGCScript (cx=0x9350c88) at ../jsgcinlines.h:501
#4 JSScript::Create (cx=0x9350c88, enclosingScope=..., savedCallerFun=false, options=..., staticLevel=1, sourceObject=..., bufStart=69, bufEnd=84) at js/src/jsscript.cpp:1678
#5 0x086d23df in js::frontend::CompileLazyFunction (cx=0x9350c88, lazy=0xf7938070, chars=0x937498a, length=15) at js/src/frontend/BytecodeCompiler.cpp:447
#6 0x082ae07a in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x9350c88, fun=...) at js/src/jsfun.cpp:1178
#7 0x082e109d in getOrCreateScript (cx=0x9350c88, this=<optimized out>) at ../jsfun.h:271
#8 JSObject::makeLazyType (cx=0x9350c88, obj=...) at js/src/jsinfer.cpp:3348
#9 0x0826ef9b in JSObject::getType (this=0xf7932420, cx=0x9350c88) at ../jsobjinlines.h:356
#10 0x082e1244 in js::types::TypeObjectKey::unknownProperties (this=0xf7932421) at js/src/jsinfer.cpp:685
#11 0x084aad10 in getSingletonPrototype (target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4610
#12 js::jit::IonBuilder::createThisScriptedSingleton (this=0x936c8b0, target=0xf7932420, callee=0x936d368) at js/src/jit/IonBuilder.cpp:4623
#13 0x084abbdd in createThis (callee=0x936d368, target=0xf7932420, this=0x936c8b0) at js/src/jit/IonBuilder.cpp:4675
#14 js::jit::IonBuilder::makeCallHelper (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5129
#15 0x084b0317 in js::jit::IonBuilder::makeCall (this=0x936c8b0, target=0xf7932420, callInfo=..., cloneAtCallsite=false) at js/src/jit/IonBuilder.cpp:5203
#16 0x084cbcbb in js::jit::IonBuilder::jsop_call (this=0x936c8b0, argc=4, constructing=true) at js/src/jit/IonBuilder.cpp:4955
#17 0x084cd748 in js::jit::IonBuilder::inspectOpcode (this=0x936c8b0, op=JSOP_NEW) at js/src/jit/IonBuilder.cpp:1471
#18 0x084c503f in js::jit::IonBuilder::traverseBytecode (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:1165
#19 0x084ce05e in js::jit::IonBuilder::build (this=0x936c8b0) at js/src/jit/IonBuilder.cpp:605
#20 0x0848be32 in IonCompile (executionMode=js::SequentialExecution, constructing=2, osrPc=0x0, baselineFrame=0x0, script=0xf792cf80, cx=0x9350c88) at js/src/jit/Ion.cpp:1612
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 9•11 years ago
|
||
Needinfo from Brian for the stacks in the previous comment :)
Flags: needinfo?(bhackett1024)
|
|
||
Comment 10•11 years ago
|
||
Yeah that's one of the MOZ_CRASH'es referenced in comment 7.
Depends on: 924611
Flags: needinfo?(bhackett1024)
|
|
||
Comment 11•11 years ago
|
||
Bug 924611 has landed. Does this still reproduce?
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 12•11 years ago
|
||
I haven't seen this in the OOM fuzzer anymore, so I assume it's fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•