1285217 - Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105 with recursive Object.create

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 95ffbc4ff635 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off min.js):

function f() {
    var o = {
        x: 1
    };
    for (var i = 0; i < 300; i++) o = Object.create(o);
    for (var i = 0; i < 15; i++) {
        assertEq(o.x, 1);
        eval(o.y, undefined);
    }
}
f();


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000cc9c6f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69b1340, n=n@entry=48) at js/src/ds/LifoAlloc.cpp:105
#0  0x0000000000cc9c6f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69b1340, n=n@entry=48) at js/src/ds/LifoAlloc.cpp:105
#1  0x000000000065fb7b in js::LifoAlloc::allocImpl (this=0x7ffff69b1340, n=48) at js/src/ds/LifoAlloc.h:225
#2  0x0000000000bc6ba2 in js::LifoAlloc::alloc (n=48, this=0x7ffff69b1340) at js/src/ds/LifoAlloc.h:285
#3  js::LifoAlloc::new_<(anonymous namespace)::CompilerConstraintInstance<(anonymous namespace)::ConstraintDataFreeze>, js::LifoAlloc*&, js::HeapTypeSetKey&, (anonymous namespace)::ConstraintDataFreeze> (this=0x7ffff69b1340) at js/src/ds/LifoAlloc.h:454
#4  js::HeapTypeSetKey::freeze (this=this@entry=0x7fffffffc8b0, constraints=constraints@entry=0x7ffff69c31e8) at js/src/vm/TypeInference.cpp:1574
#5  0x0000000000bc6e56 in js::HeapTypeSetKey::isOwnProperty (this=this@entry=0x7fffffffc8b0, constraints=0x7ffff69c31e8, allowEmptyTypesForGlobal=allowEmptyTypesForGlobal@entry=false) at js/src/vm/TypeInference.cpp:1673
#6  0x000000000068da04 in js::jit::IonBuilder::testNotDefinedProperty (this=this@entry=0x7ffff69c3280, obj=obj@entry=0x7ffff69d6c20, id=id@entry=...) at js/src/jit/IonBuilder.cpp:8304
#7  0x000000000068dbae in js::jit::IonBuilder::getPropTryNotDefined (this=this@entry=0x7ffff69c3280, emitted=emitted@entry=0x7fffffffc967, obj=obj@entry=0x7ffff69d6c20, id=..., types=types@entry=0x7ffff69c3c10) at js/src/jit/IonBuilder.cpp:11689
#8  0x00000000006dec5b in js::jit::IonBuilder::jsop_getprop (this=this@entry=0x7ffff69c3280, name=0x7ffff3f00b80) at js/src/jit/IonBuilder.cpp:11434
#9  0x00000000006e0d41 in js::jit::IonBuilder::inspectOpcode (this=this@entry=0x7ffff69c3280, op=op@entry=JSOP_GETPROP) at js/src/jit/IonBuilder.cpp:2057
#10 0x00000000006d8d99 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69c3280) at js/src/jit/IonBuilder.cpp:1540
#11 0x00000000006d9975 in js::jit::IonBuilder::build (this=0x7ffff69c3280) at js/src/jit/IonBuilder.cpp:924
#12 0x00000000006ea74c in js::jit::IonCompile (cx=cx@entry=0x7ffff693f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffcfd8, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2200
#13 0x00000000006eb059 in js::jit::Compile (cx=cx@entry=0x7ffff693f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffcfd8, osrPc=osrPc@entry=0x7ffff3ce4eaf "え", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2432
#14 0x00000000006eb973 in BaselineCanEnterAtBranch (pc=0x7ffff3ce4eaf "え", osrFrame=0x7fffffffcfd8, script=..., cx=0x7ffff693f000) at js/src/jit/Ion.cpp:2619
#15 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff693f000, frame=frame@entry=0x7fffffffcfd8, pc=pc@entry=0x7ffff3ce4eaf "え") at js/src/jit/Ion.cpp:2677
#16 0x00000000005cdcb7 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff693f000, frame=0x7fffffffcfd8, stub=0x7ffff69c2790, infoPtr=0x7fffffffcfb0) at js/src/jit/BaselineIC.cpp:143
#17 0x00007ffff7e46134 in ?? ()
[...]
#28 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x8000	32768
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc7f0	140737488340976
rsp	0x7fffffffc730	140737488340784
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff69d3000	140737330884608
r13	0x7ffff69b1340	140737330746176
r14	0x30	48
r15	0x0	0
rip	0xcc9c6f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>
=> 0xcc9c6f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>:	movl   $0x0,0x0
   0xcc9c7a <js::LifoAlloc::getOrCreateChunk(unsigned long)+858>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/977e5fd31b3d
user:        Nicolas B. Pierron
date:        Tue Jul 05 13:38:18 2016 +0000
summary:     Bug 1264948 part 2 - Assert when we allocate new chunks using an infallible allocator. r=jonco,h4writer

This iteration took 222.680 seconds to run.

Comment 2

[Nicolas B. Pierron [:nbp]]

Attachment: Handle OOM in IonBuilder::testNotDefinedProperty.

Comment 3

[Jan de Mooij [:jandem]]

Comment on attachment 8769674 [details] [diff] [review]
Handle OOM in IonBuilder::testNotDefinedProperty.

Review of attachment 8769674 [details] [diff] [review]:
-----------------------------------------------------------------

Maybe file a followup bug that depends on the Result<> bug?

Comment 4

[Pulsebot]

Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/393e8f970575
Handle OOM in IonBuilder::testNotDefinedProperty. r=jandem

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/393e8f970575