Closed
Bug 1285218
Opened 8 years ago
Closed 8 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: decoder, Assigned: nbp)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.09 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4764b9f8e6d4 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --no-threads --ion-eager):
evaluate(`
test();
function test() {
var a1; var a2; var a3; var a4; var a5; var a6; var a7; var a8; var a9;
var a10; var a11; var a12; var a13; var a14; var a15; var a16; var a17;
var a18; var a19; var a20; var a21; var a22; var a23; var a24; var a25;
var a26; var a27; var a28; var a29; var a30; var a31; var a32; var a33;
var a34; var a35; var a36; var a37; var a38; var a39; var a40; var a41;
var a42; var a43; var a44; var a45; var a46; var a47; var a48;
for ( dbg = 30; dbg >=0; dbg-- ) {}
var a50; var a51; var a52; var a53; var a54; var a55; var a56; var a57;
var a58; var a59; var a60; var a61; var a62; var a63; var a64; var a65;
var a66; var a67; var a68; var a69;
var assertEq = '';
var a71; var a72;
let onDebuggerStatement;
var a74; var a75; var a76; var a77; var a78; var a79; var a80; var a81;
var a82; var a83; var a84; var a85; var a86; var a87; var a88; var a89;
var a90; var a91; var a92; var a93; var a94; var a95; var a96; var a97;
var a98; var a99; var a100; var a101; var a102; var a103; var a104; var a105;
var a106; var a107; var a108; var a109; var a110; var a111; var a112;
if(a111 !== a2)
var a114;
var a115; var a116; var a117; var a120; var a121; var a122; var a123;
var a124; var a125;
for (var a126 = 1; a126 < ([1,2,3]).length -1; ++a126) 1;
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000ccad2f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69ac980, n=n@entry=144) at js/src/ds/LifoAlloc.cpp:105
#0 0x0000000000ccad2f in js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff69ac980, n=n@entry=144) at js/src/ds/LifoAlloc.cpp:105
#1 0x0000000000562e53 in js::LifoAlloc::allocImpl (n=144, this=0x7ffff69ac980) at js/src/ds/LifoAlloc.h:225
#2 js::LifoAlloc::allocInfallible (this=0x7ffff69ac980, n=n@entry=144) at js/src/ds/LifoAlloc.h:291
#3 0x00000000006950eb in js::jit::TempAllocator::allocateInfallible (bytes=144, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:43
#4 js::jit::TempObject::operator new (alloc=..., nbytes=144) at js/src/jit/JitAllocPolicy.h:161
#5 js::jit::MInstruction::operator new (alloc=..., nbytes=144) at js/src/jit/MIR.h:1033
#6 js::jit::MOsrValue::New<js::jit::MOsrEntry*&, long&> (alloc=...) at js/src/jit/MIR.h:7378
#7 js::jit::IonBuilder::newOsrPreheader (this=this@entry=0x7ffff69bf680, predecessor=0x7ffff69d6980, loopEntry=loopEntry@entry=0x7ffff51e2e31 "\343\201V", beforeLoopEntry=<optimized out>) at js/src/jit/IonBuilder.cpp:7861
#8 0x00000000006b614d in js::jit::IonBuilder::forLoop (this=0x7ffff69bf680, op=<optimized out>, sn=<optimized out>) at js/src/jit/IonBuilder.cpp:3399
#9 0x00000000006d88a1 in js::jit::IonBuilder::traverseBytecode (this=this@entry=0x7ffff69bf680) at js/src/jit/IonBuilder.cpp:1507
#10 0x00000000006d9915 in js::jit::IonBuilder::build (this=0x7ffff69bf680) at js/src/jit/IonBuilder.cpp:924
#11 0x00000000006ea67c in js::jit::IonCompile (cx=cx@entry=0x7ffff6965000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb278, osrPc=<optimized out>, constructing=<optimized out>, recompile=<optimized out>, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2222
#12 0x00000000006eaf89 in js::jit::Compile (cx=cx@entry=0x7ffff6965000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb278, osrPc=osrPc@entry=0x7ffff51e2e31 "\343\201V", constructing=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2454
#13 0x00000000006eb8a3 in BaselineCanEnterAtBranch (pc=0x7ffff51e2e31 "\343\201V", osrFrame=0x7fffffffb278, script=..., cx=0x7ffff6965000) at js/src/jit/Ion.cpp:2641
#14 js::jit::IonCompileScriptForBaseline (cx=cx@entry=0x7ffff6965000, frame=frame@entry=0x7fffffffb278, pc=pc@entry=0x7ffff51e2e31 "\343\201V") at js/src/jit/Ion.cpp:2699
#15 0x00000000005cd467 in js::jit::DoWarmUpCounterFallbackOSR (cx=0x7ffff6965000, frame=0x7fffffffb278, stub=0x7ffff69bc348, infoPtr=0x7fffffffae80) at js/src/jit/BaselineIC.cpp:143
#16 0x00007ffff7ff1134 in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x8000 32768
rcx 0x7ffff6c28a10 140737333332496
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffa750 140737488332624
rsp 0x7fffffffa690 140737488332432
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fdc740 140737353992000
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff69d7000 140737330900992
r13 0x7ffff69ac980 140737330727296
r14 0x90 144
r15 0x0 0
rip 0xccad2f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>
=> 0xccad2f <js::LifoAlloc::getOrCreateChunk(unsigned long)+847>: movl $0x0,0x0
0xccad3a <js::LifoAlloc::getOrCreateChunk(unsigned long)+858>: ud2
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/977e5fd31b3d user: Nicolas B. Pierron date: Tue Jul 05 13:38:18 2016 +0000 summary: Bug 1264948 part 2 - Assert when we allocate new chunks using an infallible allocator. r=jonco,h4writer This iteration took 0.428 seconds to run.
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(nicolas.b.pierron)
|
|
Assignee | |
Comment 2•8 years ago
|
||
Attachment #8769304 -
Flags: review?(hv1989)
|
||
Updated•8 years ago
|
Attachment #8769304 -
Flags: review?(hv1989) → review+
|
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8769304 [details] [diff] [review] Check for OOM while creating MOsrValue. Review of attachment 8769304 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/ion/bug1285218.js @@ +19,5 @@ > + var a106; var a107; var a108; var a109; var a110; var a111; var a112; > + if(a111 !== a2) > + var a114; > + var a115; var a116; var a117; var a120; var a121; var a122; var a123; > + var a124; var a125; Can you remove the trailing newspaces?
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0ad1ec384324 Check for OOM while creating MOsrValue. r=h4writer
|
|
Assignee | |
Comment 5•8 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #3) > Can you remove the trailing newspaces? Done.
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/0ad1ec384324
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•