Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

RESOLVED FIXED in Firefox 53

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: gkw, Assigned: h4writer)

Tracking

(Blocks: 1 bug, {assertion, jsbugmon, testcase})

Trunk
mozilla53
x86_64
Mac OS X
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(3 attachments)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision 8404d26166a3 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-eager):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010eb013b9 js::LifoAlloc::getOrCreateChunk(unsigned long) + 345 (LifoAlloc.cpp:105)
1   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010ee62a27 js::LifoAlloc::allocImpl(unsigned long) + 103 (LifoAlloc.h:225)
2   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e9dbf82 js::jit::TempObject::operator new(unsigned long, js::jit::TempAllocator&) + 130 (LifoAlloc.h:291)
3   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e92f545 js::jit::ControlFlowGenerator::processTableSwitch(JSOp, unsigned char*) + 677 (IonControlFlow.h:77)
4   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e92d86f js::jit::ControlFlowGenerator::traverseBytecode() + 303 (IonControlFlow.cpp:251)
5   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e8b8599 js::jit::IonBuilder::traverseBytecode() + 137 (IonBuilder.cpp:1378)
6   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e8b1485 js::jit::IonBuilder::build() + 2149 (IonBuilder.cpp:839)
7   js-dbg-64-dm-clang-darwin-8404d26166a3	0x000000010e8a6d0a js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) + 2986 (Ion.cpp:2236)
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

a year ago
Created attachment 8817725 [details]
Detailed Crash Information
(Reporter)

Comment 2

a year ago
Created attachment 8817726 [details]
Testcase
(Reporter)

Comment 3

a year ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/3daa33144b64
user:        Hannes Verschore
date:        Thu Dec 08 13:53:05 2016 -1000
summary:     Bug 1310155 - IonMonkey, part 1.0: Split graph creation from IonBuilder, r=jandem

Hannes, is bug 1310155 a likely regressor?
Blocks: 1310155
Flags: needinfo?(hv1989)
(Assignee)

Comment 4

a year ago
Created attachment 8817732 [details] [diff] [review]
Patch

Didn't add the testcase since it only reproduces on --ion-eager with threads. And I don't think it will give a lot of value to have this particular one in the tree. It is quite specific to get it triggered.
Assignee: nobody → hv1989
Flags: needinfo?(hv1989)
Attachment #8817732 - Flags: review?(jdemooij)
Attachment #8817732 - Flags: review?(jdemooij) → review+

Comment 5

a year ago
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aac2e7dc6f5b
IonMonkey - Test for OOM condition when creating cases for tableswitch, r=jandem

Comment 6

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/aac2e7dc6f5b
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.