Closed
Bug 980941
Opened 12 years ago
Closed 8 years ago
Assertion failure: *this->getTail() != nullptr, at jit/shared/IonAssemblerBufferWithConstantPools.h:1039
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])
The following testcase asserts on mozilla-central revision 529b86b92b1d (x86 ARM simulator build, run with --fuzzing-safe --ion-eager):
x = gczeal(2);
for each(let a in 'b') {}
try { f2(); } catch(exc1) {}
oomAfterAllocations(1);
var i = 349818;
|
Reporter | |
Comment 1•12 years ago
|
||
This is an OOM issue, but fixing this makes testing on the simulator build easier :)
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 2•12 years ago
|
||
JSBugMon: Cannot process bug: Error: Unsupported architecture "ARM" required by bug
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, failed due to error: Error: Unsupported architecture "ARM" required by bug
|
||
Comment 4•12 years ago
|
||
Looks like general issues in OOM paths. Have seen other failure paths without --ion-parallel-compile=off. Causes a different failure in the reworked code in bug 972710.
Blocks: 972710
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 5•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5ad5f92387a2
user: Jan de Mooij
date: Mon Apr 21 15:36:33 2014 -0700
summary: Bug 998596 - Add ARM simulator status to getBuildConfiguration. r=terrence
This iteration took 1939.576 seconds to run.
|
||
Comment 6•11 years ago
|
||
(In reply to Douglas Crosher [:dougc] from comment #4)
> Looks like general issues in OOM paths. Have seen other failure paths
> without --ion-parallel-compile=off. Causes a different failure in the
> reworked code in bug 972710.
> The first good revision is:
> changeset: https://hg.mozilla.org/mozilla-central/rev/5ad5f92387a2
This likely regressed before this changeset, but I'll move on since :dougc has taken a look.
|
|
||
Comment 7•11 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #6)
> (In reply to Douglas Crosher [:dougc] from comment #4)
> > Looks like general issues in OOM paths. Have seen other failure paths
> > without --ion-parallel-compile=off. Causes a different failure in the
> > reworked code in bug 972710.
>
> > The first good revision is:
> > changeset: https://hg.mozilla.org/mozilla-central/rev/5ad5f92387a2
>
> This likely regressed before this changeset, but I'll move on since :dougc
> has taken a look.
This is a good test for oom issues. It still crashes even with the asm buffer simplifications in bug 1026919. The latest crash is:
Assertion failure: [unhandlable oom] LifoAlloc::allocInfallible, at js/src/jscntxt.cpp:1427
Hit MOZ_CRASH() at js/src/jscntxt.cpp:1428
Program received signal SIGSEGV, Segmentation fault.
0x08478359 in js::CrashAtUnhandlableOOM (reason=reason@entry=0x87e37c2 "LifoAlloc::allocInfallible") at js/src/jscntxt.cpp:1428
1428 MOZ_CRASH();
Missing separate debuginfos, use: debuginfo-install glibc-2.17-20.fc19.i686 libgcc-4.8.2-7.fc19.i686 libstdc++-4.8.2-7.fc19.i686 nspr-4.10.5-1.fc19.i686
(gdb) back
#0 0x08478359 in js::CrashAtUnhandlableOOM (reason=reason@entry=0x87e37c2 "LifoAlloc::allocInfallible") at js/src/jscntxt.cpp:1428
#1 0x0826e44f in js::LifoAlloc::allocInfallible (this=0xf7a2d130, n=44) at js/src/ds/LifoAlloc.h:279
#2 0x083b69e2 in allocateInfallible (bytes=44, this=<optimized out>) at js/src/jit/IonAllocPolicy.h:37
#3 operator new (alloc=..., nbytes=44) at js/src/jit/IonAllocPolicy.h:178
#4 allocate (this=0xffffc2a8) at js/src/jit/IonAllocPolicy.h:205
#5 js::jit::MoveResolver::addMove (this=this@entry=0xffffc050, from=..., to=..., type=js::jit::MoveOp::GENERAL) at js/src/jit/MoveResolver.cpp:28
#6 0x084593e0 in js::jit::MacroAssemblerARMCompat::passSoftFpABIArg (this=this@entry=0xffffb918, from=..., type=type@entry=js::jit::MoveOp::GENERAL)
at js/src/jit/arm/MacroAssembler-arm.cpp:3824
#7 0x0845954b in passABIArg (type=js::jit::MoveOp::GENERAL, from=..., this=0xffffb918) at js/src/jit/arm/MacroAssembler-arm.cpp:3836
#8 js::jit::MacroAssemblerARMCompat::passABIArg (this=this@entry=0xffffb918, reg=reg@entry=...) at js/src/jit/arm/MacroAssembler-arm.cpp:3847
...
If the intention is for the compiler to fail gracefully on oom then why would there be a allocateInfallible method? Something to explore.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1735ff2bb23e).
|
||
Comment 9•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #8)
> JSBugMon: The testcase found in this bug no longer reproduces (tried
> revision 1735ff2bb23e).
Closing then.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
||
Comment 10•8 years ago
|
||
If we don't know which patch fixed the bug, WFM is the correct resolution.
Resolution: FIXED → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•