Closed Bug 1299007 Opened 8 years ago Closed 8 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox51 --- fix-optional
firefox52 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Ensure enough ballast space in RangeAnalysis::prepareForUCE.
2.58 KB, patch
sunfish
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 1a5b53a831e5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

evalInFrame = function(global) {
   dbgGlobal = newGlobal()
   dbg = new dbgGlobal.Debugger
   return function(upCount, code) {
       dbg.addDebuggee(global)
       var frame = dbg.getNewestFrame().older
       for (var i = 0; i < upCount; i++)
           if (!frame) frame = older
       completion = frame.eval(code)
   }
}(this);
function h() {
    evalInFrame(0, "")
    evalInFrame(0, "i")
    evalInFrame(0, "a.push")
    evalInFrame(1, "a.pushy")
}
function g() h()
function f() g()
f()
evaluate(`
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
g()
h()
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cb035f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69aa180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#0  0x0000000000cb035f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69aa180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#1  0x0000000000561873 in js::LifoAlloc::allocImpl (n=120, this=0x7ffff69aa180) at js/src/ds/LifoAlloc.h:225
#2  js::LifoAlloc::allocInfallible (this=0x7ffff69aa180, n=120) at js/src/ds/LifoAlloc.h:291
#3  0x000000000073a780 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44
#4  js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162
#5  js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1046
#6  js::jit::MConstant::New (alloc=..., v=..., constraints=constraints@entry=0x0) at js/src/jit/MIR.cpp:744
#7  0x0000000000789276 in js::jit::RangeAnalysis::prepareForUCE (this=this@entry=0x7fffffffbc70, shouldRemoveDeadCode=shouldRemoveDeadCode@entry=0x7fffffffbc40) at js/src/jit/RangeAnalysis.cpp:3499
#8  0x00000000006a38f0 in js::jit::OptimizeMIR (mir=mir@entry=0x7ffff699e1c0) at js/src/jit/Ion.cpp:1749
#9  0x00000000006a3fda in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff699e1c0) at js/src/jit/Ion.cpp:2025
#10 0x00000000006a4b8b in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2303
#11 0x00000000006a5209 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=osrPc@entry=0x0, constructing=<optimized out>, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2479
#12 0x00000000006a541e in js::jit::CanEnter (cx=cx@entry=0x7ffff695f000, state=...) at js/src/jit/Ion.cpp:2571
#13 0x0000000000ad669b in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:376
#14 0x0000000000adf69e in js::ExecuteKernel (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffcda8) at js/src/vm/Interpreter.cpp:681
#15 0x0000000000adfa40 in js::Execute (cx=cx@entry=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x7fffffffcda8) at js/src/vm/Interpreter.cpp:714
#16 0x00000000008b7435 in ExecuteScript (cx=cx@entry=0x7ffff695f000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x7fffffffcda8) at js/src/jsapi.cpp:4288
#17 0x00000000008bae8b in JS_ExecuteScript (cx=cx@entry=0x7ffff695f000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4314
#18 0x0000000000457ea4 in Evaluate (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=0x7fffffffcda8) at js/src/shell/js.cpp:1638
#19 0x0000000000ae6349 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0x4575c0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#20 0x0000000000ad6873 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:454
#21 0x0000000000ad6ba6 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:499
#22 0x0000000000ad6cca in js::CallFromStack (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#23 0x0000000000e55a21 in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffcdf8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcda8, res=...) at js/src/jit/BaselineIC.cpp:5993
#24 0x00007ffff7e3d08a in ?? ()
[...]
#46 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x8000	32768
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffba90	140737488337552
rsp	0x7fffffffb9d0	140737488337360
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff59e2000	140737314168832
r13	0x7ffff69aa180	140737330717056
r14	0x78	120
r15	0x0	0
rip	0xcb035f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>
=> 0xcb035f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>:	movl   $0x0,0x0
   0xcb036a <js::LifoAlloc::getOrCreateChunk(unsigned long)+858>:	ud2
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Make MConstant::New use a fallible allocator, such that we can reserve
ballast space for allocating MConstant if we have many unreachable basic
blocks.
Attachment #8788444 - Flags: review?(sunfish)
Flags: needinfo?(nicolas.b.pierron)
Attachment #8788444 - Flags: review?(sunfish) → review+
ping to land?
Flags: needinfo?(nicolas.b.pierron)
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cf671d01914d
Ensure enough ballast space in RangeAnalysis::prepareForUCE. r=sunfish
Flags: needinfo?(nicolas.b.pierron)
https://hg.mozilla.org/mozilla-central/rev/cf671d01914d
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Mark 51 as fix-optional. If it's worth uplifting to 51, feel free to nominate it.
status-firefox51: affectedfix-optional
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: