Closed Bug 1231925 Opened 9 years ago Closed 9 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/builtin/TestingFunctions.cpp:1170

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox45 --- affected
firefox46 --- fixed

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Correctly recover if allocating tracked optimizations go OOM.
(deleted), patch
jonco
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 412e4d7ce98c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug1022081.js enableSPSProfiling(); // Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1214006.js oomTest(function() { eval("(function() {})()") }); Backtrace: 0 js-dbg-64-dm-darwin-412e4d7ce98c 0x00000001006fae28 OOMTest(JSContext*, unsigned int, JS::Value*) + 1320 (TestingFunctions.cpp:1170) 1 js-dbg-64-dm-darwin-412e4d7ce98c 0x0000000100727ec2 js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 786 (jscntxtinlines.h:236) 2 js-dbg-64-dm-darwin-412e4d7ce98c 0x00000001007286fb js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 555 (Interpreter.cpp:496) 3 js-dbg-64-dm-darwin-412e4d7ce98c 0x000000010018963b js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2811 (BaselineIC.cpp:6155) 4 ??? 0x0000000101db5f6b 0 + 4326121323 5 ??? 0x0000000103d218c8 0 + 4359067848
With help from :jonco, we looked at this using the technique in: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Hacking_Tips#How_to_debug_oomTest%28%29_failures and got: frame #5: 0x00000001001eda14 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) [inlined] unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(this=0x0000000102b69400, numElems=72) + 8 at MallocProvider.h:90 frame #6: 0x00000001001eda0c js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) [inlined] mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>* js::MallocProvider<js::ExclusiveContext>::new_<mozilla::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy> >(this=0x0000000102b69400) at MallocProvider.h:190 frame #7: 0x00000001001eda0c js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CodeGenerator::link(this=0x000000010460a000, cx=0x0000000102b69400, constraints=<unavailable>) + 1228 at CodeGenerator.cpp:8204 frame #8: 0x0000000100268ab5 js-dbg-64-dm-darwin-412e4d7ce98c`LinkCodeGen(cx=0x0000000102b69400, builder=0x0000000103fe71c0, codegen=0x000000010460a000, scripts=MutableHandle<js::TraceableVector<JSScript *, 0, js::TempAllocPolicy, js::DefaultGCPolicy<JSScript *> > > @ 0x00007fff5fbfbf80, info=0x00007fff5fbfc140) + 293 at Ion.cpp:566 frame #9: 0x0000000100229669 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 559 at Ion.cpp:2270 frame #10: 0x000000010022943a js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::Compile(cx=0x0000000102b69400, script=<unavailable>, osrFrame=<unavailable>, osrPc=<unavailable>, constructing=true, forceRecompile=<unavailable>) + 4170 at Ion.cpp:2430 frame #11: 0x0000000100229fa2 js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::CanEnter(cx=0x0000000102b69400, state=0x00007fff5fbfc478) + 370 at Ion.cpp:2593 frame #12: 0x0000000100710e51 js-dbg-64-dm-darwin-412e4d7ce98c`js::RunScript(cx=0x0000000102b69400, state=0x00007fff5fbfc478) + 289 at Interpreter.cpp:367 frame #13: 0x0000000100727f29 js-dbg-64-dm-darwin-412e4d7ce98c`js::Invoke(cx=0x0000000102b69400, args=<unavailable>, construct=<unavailable>) + 889 at Interpreter.cpp:462 frame #14: 0x00000001007286fb js-dbg-64-dm-darwin-412e4d7ce98c`js::Invoke(cx=0x0000000102b69400, thisv=0x00007fff5fbfc770, fval=<unavailable>, argc=<unavailable>, argv=<unavailable>, rval=<unavailable>) + 555 at Interpreter.cpp:496 frame #15: 0x000000010018963b js-dbg-64-dm-darwin-412e4d7ce98c`js::jit::DoCallFallback(cx=0x0000000102b69400, frame=0x00007fff5fbfc978, stub_=0x0000000104606220, argc=0, vp=0x00007fff5fbfc938, res=<unavailable>) + 2811 at BaselineIC.cpp:6155 frame #16: 0x0000000101db5f6b We used hg blame on CodeGenerator.cpp and the following region of code near: https://hg.mozilla.org/mozilla-central/annotate/412e4d7ce98ca4dbc37de133d0f26d7e1a59946f/js/src/jit/CodeGenerator.cpp#l8205 might be involved, and its corresponding changeset is: https://hg.mozilla.org/mozilla-central/rev/98498bec2d96 Shu-yu, is bug 1030389 a likely regressor?
Blocks: 1030389
Has Regression Range: --- → yes
Has STR: --- → yes
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Comment on attachment 8698755 [details] [diff] [review] Correctly recover if allocating tracked optimizations go OOM. Review of attachment 8698755 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me. ::: js/src/jit-test/tests/profiler/bug1231925.js @@ +1,2 @@ > +enableSPSProfiling(); > +oomTest(function() { This will need an |if (!('oomTest' in this))) quit();| line as oomTest() is not present in opt builds.
Attachment #8698755 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/fadbd842107b
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: