Closed
Bug 1216157
Opened 9 years ago
Closed 9 years ago
Crash [@ js::jit::AutoWritableJitCode::AutoWritableJitCode] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
(deleted),
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 01e37977f8da (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager):
gcslice(0); // Start IGC, but don't mark anything.
function f(str) {
for (var i = 0; i < 10; i++) {
arr = /foo(ba(r))?/.exec(str);
var x = arr[oomAfterAllocations(100)] + " " + arr[1] + " " + 1899;
}
}
f("foo");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::jit::AutoWritableJitCode::AutoWritableJitCode (this=0x7fffffffb5f0, code=0x0) at js/src/jit/JitCompartment.h:513
#0 js::jit::AutoWritableJitCode::AutoWritableJitCode (this=0x7fffffffb5f0, code=0x0) at js/src/jit/JitCompartment.h:513
#1 0x000000000062b1fa in js::jit::JitCode::togglePreBarriers (this=this@entry=0x0, enabled=enabled@entry=true) at js/src/jit/Ion.cpp:872
#2 0x0000000000603c2d in js::jit::JitCompartment::generateRegExpExecStub (this=this@entry=0x7ffff69160b0, cx=cx@entry=0x7ffff6906c00) at js/src/jit/CodeGenerator.cpp:1450
#3 0x00000000006e55f4 in ensureRegExpExecStubExists (cx=0x7ffff6906c00, this=0x7ffff69160b0) at js/src/jit/JitCompartment.h:467
#4 js::jit::IonBuilder::inlineRegExpExec (this=0x7ffff69b5258, callInfo=...) at js/src/jit/MCallOptimize.cpp:1852
#5 0x000000000066c96d in js::jit::IonBuilder::inlineSingleCall (this=0x7ffff69b5258, callInfo=..., targetArg=<optimized out>) at js/src/jit/IonBuilder.cpp:5518
#6 0x000000000066e07c in js::jit::IonBuilder::inlineCallsite (this=this@entry=0x7ffff69b5258, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:5582
#7 0x000000000066e415 in js::jit::IonBuilder::jsop_call (this=this@entry=0x7ffff69b5258, argc=1, constructing=<optimized out>) at js/src/jit/IonBuilder.cpp:6468
#8 0x0000000000667b6e in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69b5258, op=op@entry=JSOP_CALL) at js/src/jit/IonBuilder.cpp:1871
#9 0x0000000000668f30 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69b5258) at js/src/jit/IonBuilder.cpp:1517
#10 0x00000000006693a5 in js::jit::IonBuilder::build (this=0x7ffff69b5258) at js/src/jit/IonBuilder.cpp:913
#11 0x000000000068838d in js::jit::IonCompile (cx=cx@entry=0x7ffff6906c00, script=script@entry=0x7ffff3f86090, baselineFrame=baselineFrame@entry=0x7fffffffcbd8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::Optimization_Normal) at js/src/jit/Ion.cpp:2176
#12 0x0000000000688e2a in js::jit::Compile (cx=cx@entry=0x7ffff6906c00, script=..., script@entry=..., osrFrame=0x7fffffffcbd8, osrPc=osrPc@entry=0x7ffff69176ae "\343\201V", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2414
#13 0x00000000006890c1 in js::jit::CanEnterAtBranch (cx=cx@entry=0x7ffff6906c00, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcbd8, pc=pc@entry=0x7ffff69176ae "\343\201V") at js/src/jit/Ion.cpp:2501
#14 0x0000000000bfb18d in EnsureCanEnterIon (stub=<optimized out>, jitcodePtr=<synthetic pointer>, pc=0x7ffff69176ae "\343\201V", script=..., frame=0x7fffffffcbd8, cx=0x7ffff6906c00) at js/src/jit/BaselineIC.cpp:104
#15 js::jit::DoWarmUpCounterFallback (cx=0x7ffff6906c00, frame=0x7fffffffcbd8, stub=<optimized out>, infoPtr=0x7fffffffcba0) at js/src/jit/BaselineIC.cpp:268
#16 0x00007ffff7e50f69 in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax 0x7fffffffb5f0 140737488336368
rbx 0x0 0
rcx 0xc3 195
rdx 0x7ffff6937000 140737330245632
rsi 0x0 0
rdi 0x7fffffffb5f0 140737488336368
rbp 0x7fffffffb5c0 140737488336320
rsp 0x7fffffffb5a0 140737488336288
r8 0x0 0
r9 0xe4af48 14987080
r10 0xb 11
r11 0xe4af48 14987080
r12 0x7fffffffb880 140737488337024
r13 0x1 1
r14 0x7fffffffb890 140737488337040
r15 0x7fffffffb8a0 140737488337056
rip 0x60c84f <js::jit::AutoWritableJitCode::AutoWritableJitCode(js::jit::JitCode*)+15>
=> 0x60c84f <js::jit::AutoWritableJitCode::AutoWritableJitCode(js::jit::JitCode*)+15>: mov 0x10(%rsi),%r13d
0x60c853 <js::jit::AutoWritableJitCode::AutoWritableJitCode(js::jit::JitCode*)+19>: mov (%rsi),%r14
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
|
|
Assignee | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Assignee | |
Comment 1•9 years ago
|
||
Missing an OOM check. This only crashes when we're in the middle of an incremental GC, else we don't call togglePreBarriers.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8676199 -
Flags: review?(jcoppeard)
|
||
Updated•9 years ago
|
Attachment #8676199 -
Flags: review?(jcoppeard) → review+
|
||
Comment 3•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•