Closed Bug 1244831 Opened 8 years ago Closed 8 years ago

Assertion failure: result ([OOM] Is it really infallible?), at js/src/ds/LifoAlloc.h:281 involving js::jit::MToFloat32::New

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1244828
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: gkw, Assigned: nbp)

References

Details

(Keywords: assertion, regression, Whiteboard: [jsbugmon:ignore]) 

+++ This bug was initially created as a clone of Bug #1244828 +++

Nicolas requests that each stack should have it's own bug, blocking meta bug 1244824. Assigning to him by default.

#0  js::LifoAlloc::allocInfallibleOrAssert (this=<optimized out>, n=<optimized out>) at js/src/ds/LifoAlloc.h:281
#1  js::jit::TempAllocator::allocateInfallible (this=<optimized out>, bytes=<optimized out>) at js/src/jit/JitAllocPolicy.h:40
#2  0x00000000005da6da in js::jit::TempObject::operator new (nbytes=144, alloc=...) at js/src/jit/JitAllocPolicy.h:174
#3  js::jit::MToFloat32::New (alloc=..., def=0x27451f0, conversion=js::jit::MToFPInstruction::NumbersOnly) at js/src/jit/MIR.h:5067
#4  0x0000000000688237 in js::jit::ComparePolicy::adjustInputs (this=<optimized out>, alloc=..., def=0x26f9740) at js/src/jit/TypePolicy.cpp:232
#5  0x000000000057e7b9 in (anonymous namespace)::TypeAnalyzer::adjustInputs (def=0x26f9740, this=<optimized out>) at js/src/jit/IonAnalysis.cpp:1499
#6  (anonymous namespace)::TypeAnalyzer::insertConversions (this=<optimized out>) at js/src/jit/IonAnalysis.cpp:1562
#7  (anonymous namespace)::TypeAnalyzer::analyze (this=<optimized out>) at js/src/jit/IonAnalysis.cpp:1806
#8  js::jit::ApplyTypeInformation (mir=<optimized out>, graph=...) at js/src/jit/IonAnalysis.cpp:1818
#9  0x0000000000574122 in js::jit::OptimizeMIR (mir=0x265afb0) at js/src/jit/Ion.cpp:1631
#10 0x000000000057598e in js::jit::CompileBackEnd (mir=0x265afb0) at js/src/jit/Ion.cpp:2008
#11 0x000000000082f46d in js::HelperThread::handleIonWorkload (this=0x205a700) at js/src/vm/HelperThreads.cpp:1276
#12 0x000000000082ee9e in js::HelperThread::threadLoop (this=0x205a700) at js/src/vm/HelperThreads.cpp:1603
#13 0x00000000008d124e in nspr::Thread::ThreadRoutine (arg=0x2072cf0) at js/src/vm/PosixNSPR.cpp:45
#14 0x00007f297a0bc6aa in start_thread (arg=0x7f297500b700) at pthread_create.c:333
#15 0x00007f2979132eed in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
In this particular case, the problem is located in TypeAnalyzer::adjustInputs, as there is a finite number of operands in instructions which have a ComparePolicy.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.