Closed
Bug 1287416
Opened 8 years ago
Closed 8 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
32.45 KB,
text/plain
|
Details | |
|
1.86 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0fbdcd21fad7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// Adapted from randomly chosen test: js/src/jit-test/tests/sunspider/check-string-unpack-code.js
for (var i = 0; i < 1; i++) {
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx".split("x");
};
Backtrace:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010db826c4 js::LifoAlloc::getOrCreateChunk(unsigned long) + 356 (LifoAlloc.cpp:105)
1 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010d9384c7 js::LifoAlloc::allocImpl(unsigned long) + 103 (LifoAlloc.h:225)
2 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010d5221b2 js::jit::TempAllocator::allocateInfallible(unsigned long) + 130 (LifoAlloc.h:291)
3 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010d4dc00a js::jit::MConstant::New(js::jit::TempAllocator&, JS::Value const&, js::CompilerConstraintList*) + 26 (JitAllocPolicy.h:161)
4 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010d3c90e6 js::jit::IonBuilder::constant(JS::Value const&) + 182 (IonBuilder.cpp:14480)
5 js-dbg-64-dm-clang-darwin-0fbdcd21fad7 0x000000010d3fca77 js::jit::IonBuilder::setInitializedLength(js::jit::MDefinition*, JSValueType, unsigned long) + 135 (IonBuilder.cpp:14516)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/977e5fd31b3d user: Nicolas B. Pierron date: Tue Jul 05 13:38:18 2016 +0000 summary: Bug 1264948 part 2 - Assert when we allocate new chunks using an infallible allocator. r=jonco,h4writer Nicolas, setting needinfo? for you.
Blocks: 1264948
Flags: needinfo?(nicolas.b.pierron)
|
||
Comment 3•8 years ago
|
||
Attachment #8771994 -
Flags: review?(hv1989)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8771994 [details] [diff] [review] Ensure we have enough ballast space in IonBuilder::inlineConstantStringSplitString. Review of attachment 8771994 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/ion/bug1287416.js @@ +1,1 @@ > +// Adapted from randomly chosen test: js/src/jit-test/tests/sunspider/check-string-unpack-code.js I think this comment can get removed ;)
Attachment #8771994 -
Flags: review?(hv1989) → review+
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/81d489064842 Ensure we have enough ballast space in IonBuilder::inlineConstantStringSplitString. r=h4writer
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/81d489064842
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
You need to log in
before you can comment on or make changes to this bug.
Description
•