Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

RESOLVED FIXED in Firefox 51

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: nbp)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla51
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 wontfix, firefox51 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision fef429fba4c6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

for (var i = 0; i < 2; i++) {
    "|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||".split("|");
}


Backtrace:

0   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x0000000107667874 js::LifoAlloc::getOrCreateChunk(unsigned long) + 356 (LifoAlloc.cpp:105)
1   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x00000001073ff557 js::LifoAlloc::allocImpl(unsigned long) + 103 (LifoAlloc.h:225)
2   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x00000001074f1447 js::HeapTypeSetKey::freeze(js::CompilerConstraintList*) + 135 (LifoAlloc.h:285)
3   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x00000001074f349c js::TemporaryTypeSet::convertDoubleElements(js::CompilerConstraintList*) + 316 (TypeInference.cpp:2214)
4   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x0000000106fcf686 js::jit::MNewArray::MNewArray(js::CompilerConstraintList*, unsigned int, js::jit::MConstant*, js::gc::InitialHeap, unsigned char*, bool) + 310 (MIR.cpp:4821)
5   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x0000000106fcf704 js::jit::MNewArray::MNewArray(js::CompilerConstraintList*, unsigned int, js::jit::MConstant*, js::gc::InitialHeap, unsigned char*, bool) + 20 (MIR.cpp:4825)
6   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x0000000106ec618b js::jit::IonBuilder::newArrayTryVM(bool*, JSObject*, unsigned int) + 203 (IonBuilder.cpp:7324)
7   js-dbg-64-dm-clang-darwin-fef429fba4c6	0x0000000106ec6276 js::jit::IonBuilder::jsop_newarray(JSObject*, unsigned int) + 102 (IonBuilder.cpp:7361)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8775343 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160705060723" and the hash "359a15f3afea99a3422bc03d5b699c6f93aa9a94".
The "bad" changeset has the timestamp "20160705063922" and the hash "977e5fd31b3d8f83e3c6b4560f6784fbabdbf49a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=359a15f3afea99a3422bc03d5b699c6f93aa9a94&tochange=977e5fd31b3d8f83e3c6b4560f6784fbabdbf49a

Nicolas, this is also probably yours.
Blocks: 1264948
Flags: needinfo?(nicolas.b.pierron)
Created attachment 8776646 [details] [diff] [review]
Ensure enough ballast space while allocating each constant under inlineConstantStringSplitString.
Attachment #8776646 - Flags: review?(hv1989)
Attachment #8776646 - Flags: review?(hv1989) → review+

Comment 4

2 years ago
Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/2da5293e22d5
Ensure enough ballast space while allocating each constant under inlineConstantStringSplitString. r=h4writer

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/2da5293e22d5
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Nicolas, can we uplift this to aurora? Thanks
Assignee: nobody → nicolas.b.pierron
(In reply to Sylvestre Ledru [:sylvestre] from comment #6)
> Nicolas, can we uplift this to aurora? Thanks

I do not think this MOZ_ASSERT is worth tracking any other releases than nightly. (I suggest wontfix)
This is a Debug only mechanism which help fuzzers at reporting allocation loops without OOM checks.

In this particular cases, on OOM, we will attempt to dereference a near null pointer.
Flags: needinfo?(nicolas.b.pierron)
ok, merci :)
status-firefox50: affected → wontfix
You need to log in before you can comment on or make changes to this bug.