Closed
Bug 1289184
Opened 8 years ago
Closed 8 years ago
Crash on js::LifoAlloc::getOrCreateChunk
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: eeejay, Assigned: nbp)
References
()
Details
Attachments
(2 files)
|
18.89 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
|
1.03 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
I can reliably reproduce a crash by running some emsciptened code from here: http://eeejay.github.io/espeak/emscripten/espeak.html (simply press speak). #0 0x00007fffe920bcbf in js::LifoAlloc::getOrCreateChunk(unsigned long) (this=<optimized out>, n=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/ds/LifoAlloc.cpp:105 #1 0x00007fffe8a66ee7 in js::LifoAlloc::allocImpl(unsigned long) (this=0x7fffabf979c0, n=16) at /home/eitan/Mozilla/gecko/js/src/ds/LifoAlloc.h:225 #2 0x00007fffe8bca8cc in MakeMIRTypeSet(js::jit::MIRType) (this=0x7fffabf979c0, n=16) at /home/eitan/Mozilla/gecko/js/src/ds/LifoAlloc.h:285 #3 0x00007fffe8bca8cc in MakeMIRTypeSet(js::jit::MIRType) (this=0x7fffabf979c0, args=@0x7fffabf979c0: 0x7fffadf9d000, args=...) at /home/eitan/Mozilla/gecko/js/src/ds/LifoAlloc.h:454 #4 0x00007fffe8bca8cc in MakeMIRTypeSet(js::jit::MIRType) (type=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/MIR.cpp:2435 #5 0x00007fffe8bca7e1 in js::jit::MergeTypes(js::jit::MIRType*, js::TemporaryTypeSet**, js::jit::MIRType, js::TemporaryTypeSet*) (ptype=<optimized out>, ptypeSet=0x7fffa61ef738, newType=js::jit::MIRType::Int32, newTypeSet=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/MIR.cpp:2461 #6 0x00007fffe8bcad66 in js::jit::MPhi::specializeType() (this=0x7fff96038920) at /home/eitan/Mozilla/gecko/js/src/jit/MIR.cpp:2593 #7 0x00007fffe8be2d9b in js::jit::MBasicBlock::specializePhis() (this=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/MIRGraph.cpp:1610 #8 0x00007fffe8ab6a15 in js::jit::IonBuilder::whileOrForInLoop(unsigned char*) (block=<optimized out>, this=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/IonBuilder.h:1083 #9 0x00007fffe8ab6a15 in js::jit::IonBuilder::whileOrForInLoop(unsigned char*) (this=0x7fffadf9f2c0, sn=0x7fff9600a610 "P\320\371\255\377\177") at /home/eitan/Mozilla/gecko/js/src/jit/IonBuilder.cpp:3333 #10 0x00007fffe8ab0b22 in js::jit::IonBuilder::traverseBytecode() (this=0x7fffadf9f2c0) at /home/eitan/Mozilla/gecko/js/src/jit/IonBuilder.cpp:1507 #11 0x00007fffe8aac115 in js::jit::IonBuilder::build() (this=0x7fffadf9f2c0) at /home/eitan/Mozilla/gecko/js/src/jit/IonBuilder.cpp:924 #12 0x00007fffe8aa3cc8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) (script=<optimized out>, baselineFrame=<optimized out>, osrPc=<optimized out>, optimizationLevel=<optimized out>, cx=<optimized out>, constructing=<optimized out>, recompile=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/Ion.cpp:2233 #13 0x00007fffe8aa3cc8 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) (cx=0x7fffb8cf1000, script=..., osrFrame=<optimized out>, osrPc=<optimized out>, constructing=208, forceRecompile=<optimized out>) at /home/eitan/Mozilla/gecko/js/src/jit/Ion.cpp:2464 #14 0x00007fffe8aa4ade in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) (osrFrame=0x7fffa61f1548, pc=0x7fffcead3a45 "\343\201C\b\377\377ɬ\346V", cx=<optimized out>, script=...) at /home/eitan/Mozilla/gecko/js/src/jit/Ion.cpp:2651 #15 0x00007fffe8aa4ade in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) (cx=0x7fffb8cf1000, frame=0x7fffa61f1548, pc=0x7fffcead3a45 "\343\201C\b\377\377ɬ\346V") at /home/eitan/Mozilla/gecko/js/src/jit/Ion.cpp:2710 #16 0x00007fffe943fcbf in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) (cx=0x7fffb8cf1000, frame=0x7fffa61f1548, stub=0x7fffb91904d8, infoPtr=0x7fffa61efd60) at /home/eitan/Mozilla/gecko/js/src/jit/BaselineIC.cpp:143
|
Assignee | |
Comment 1•8 years ago
|
||
Eitan, is this a debug build of Firefox / JS shell? I added an assertion as part of Bug 1264948, which should only trigger in debug builds. This assertion is made to ensure that our code is armored against any OOM which might happen in the compilers, thus it prevent us from *implicitly* extending the ballast space, even if we do not run out of memory.
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
Flags: needinfo?(eitan)
|
|
Assignee | |
Comment 2•8 years ago
|
||
Attachment #8774713 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 3•8 years ago
|
||
Attachment #8774715 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 4•8 years ago
|
||
(In reply to Eitan Isaacson [:eeejay] from comment #0) > I can reliably reproduce a crash by running some emsciptened code from here: > > http://eeejay.github.io/espeak/emscripten/espeak.html (simply press speak). I was unable to reproduce this on a week old version of firefox nightly, because of a sandbox issue: Sandbox: seccomp sandbox violation: pid 22800, syscall 25, args 140484741976064 692224 1052672 1 12123 140732820460064. Killing process. Sandbox: crash reporter is disabled (or failed); trying stack trace: Sandbox: frame #01: ???[/nix/store/9xsjqbsldr86vvs7p5ps4qlkjv9dhc0k-glibc-2.23/lib/libpthread.so.0 +0x10e70] Sandbox: frame #02: mremap[/nix/store/9xsjqbsldr86vvs7p5ps4qlkjv9dhc0k-glibc-2.23/lib/libc.so.6 +0xe83ea] Sandbox: frame #03: ???[/nix/store/9xsjqbsldr86vvs7p5ps4qlkjv9dhc0k-glibc-2.23/lib/libc.so.6 +0x74ad6] Sandbox: frame #04: realloc[/nix/store/9xsjqbsldr86vvs7p5ps4qlkjv9dhc0k-glibc-2.23/lib/libc.so.6 +0x792c0] Sandbox: frame #05: ???[/home/nicolas/mozilla/_build/firefox/bugzil.la/1287416/wip/x64/clang/dbg/dist/bin/libxul.so +0xadbf6b] In the mean time I would expect the last patch to fix the issue you are seeing.
|
Reporter | |
Comment 5•8 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #1) > Eitan, is this a debug build of Firefox / JS shell? > > I added an assertion as part of Bug 1264948, which should only trigger in > debug builds. This assertion is made to ensure that our code is armored > against any OOM which might happen in the compilers, thus it prevent us from > *implicitly* extending the ballast space, even if we do not run out of > memory. Yes, this is build with --enable-debug. I'm assuming your patch fixes it for debug builds as well?
Flags: needinfo?(eitan)
|
|
Reporter | |
Comment 6•8 years ago
|
||
I tried the patch, and I can confirm it fixes this issue.
|
||
Comment 7•8 years ago
|
||
Comment on attachment 8774713 [details] [diff] [review] part 0 - Replace TLS lookup for the compiler LifoAlloc by a TempAllocator argument. Review of attachment 8774713 [details] [diff] [review]: ----------------------------------------------------------------- Nice
Attachment #8774713 -
Flags: review?(jdemooij) → review+
|
|
||
Updated•8 years ago
|
Attachment #8774715 -
Flags: review?(jdemooij) → review+
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/84681c999812 part 0 - Replace TLS lookup for the compiler LifoAlloc by a TempAllocator argument. r=jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/afb244b4fb28 part 1 - Add an AutoFallibleScope for jit::MergeTypes lifoAlloc allocations. r=jandem
|
||
Comment 9•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/84681c999812 https://hg.mozilla.org/mozilla-central/rev/afb244b4fb28
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•