Closed
Bug 1329651
Opened 8 years ago
Closed 8 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla54
People
(Reporter: decoder, Assigned: h4writer)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
1.65 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 701868bfddcb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager --ion-aa=flow-sensitive): try { evaluate(` function TestCase(n, a) { value = value.replace(/n/, 'NL').replace(/n/, 'NL').replace(r/g).replace return value; } setJitCompilerOption("ion.warmup.trigger", 2); TestCase(); `) } catch (exc) {} function newFunc(x) Function(x)(); newFunc(` var SECTION; new TestCase( SECTIONNumberNaN + "" ); new TestCase; new TestCase; TestCase( NEGATIVE_INFINITY + "" ); new TestCase; TestCase( + ""); new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; new TestCase + new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; new TestCase; `); Backtrace: received signal SIGSEGV, Segmentation fault. js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105 #0 js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105 #1 0x00000000005f6d03 in js::LifoAlloc::allocImpl (n=120, this=0x7ffff3332180) at js/src/ds/LifoAlloc.h:225 #2 js::LifoAlloc::allocInfallible (this=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.h:291 #3 0x00000000007084f0 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44 #4 js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162 #5 js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1123 #6 js::jit::MConstant::New (constraints=0x0, v=..., alloc=...) at js/src/jit/MIR.cpp:806 #7 js::jit::MBasicBlock::optimizedOutConstant (this=0x7ffff69cd020, alloc=...) at js/src/jit/MIRGraph.cpp:919 #8 0x00000000005fc5cd in EliminateTriviallyDeadResumePointOperands (graph=..., rp=0x7ffff69cd3c0) at js/src/jit/IonAnalysis.cpp:977 #9 0x0000000000619093 in EliminateTriviallyDeadResumePointOperands (rp=<optimized out>, graph=...) at js/src/jit/IonAnalysis.cpp:967 #10 js::jit::EliminateDeadResumePointOperands (mir=mir@entry=0x7ffff69b0278, graph=...) at js/src/jit/IonAnalysis.cpp:1005 #11 0x000000000065a780 in js::jit::EliminateDeadResumePointOperands (graph=..., mir=0x7ffff69b0278) at js/src/jit/FlowAliasAnalysis.h:24 #12 js::jit::OptimizeMIR (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:1713 #13 0x000000000065b9d6 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:2067 #14 0x000000000065c55b in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb6a8, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2351 #15 0x000000000065ccb2 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb6a8, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2533 #16 0x000000000065d5c2 in BaselineCanEnterAtEntry (frame=0x7fffffffb6a8, script=..., cx=0x7ffff695f000) at js/src/jit/Ion.cpp:2662 #17 js::jit::IonCompileScriptForBaseline (cx=0x7ffff695f000, frame=0x7fffffffb6a8, pc=<optimized out>) at js/src/jit/Ion.cpp:2785 #18 0x00007ffff7e45cd0 in ?? () [...] #40 0x0000000000000000 in ?? () rax 0x204e520 33875232 rbx 0x1217988 18971016 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffad30 140737488334128 rsp 0x7fffffffac70 140737488333936 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff3531fe8 140737275699176 r13 0x7ffff3332180 140737273602432 r14 0x78 120 r15 0x0 0 rip 0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944> => 0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944>: movl $0x0,0x0 0x82503b <js::LifoAlloc::getOrCreateChunk(unsigned long)+955>: ud2
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Updated•8 years ago
|
Version: Trunk → 53 Branch
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Error: Unsupported branch "53 Branch" required by bug
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "53 Branch" required by bug
Assignee | ||
Comment 3•8 years ago
|
||
Assignee: nobody → hv1989
Attachment #8830246 -
Flags: review?(nicolas.b.pierron)
Assignee | ||
Updated•8 years ago
|
Priority: -- → P1
Updated•8 years ago
|
Attachment #8830246 -
Flags: review?(nicolas.b.pierron) → review+
Pushed by hv1989@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/98e7a11da7c8 IonMonkey - Ensure ballast in EliminateDeadResumePointOperands, r=nbp
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/98e7a11da7c8
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox54:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment 6•8 years ago
|
||
AFAICT, this is an old bug. Please request Aurora/Beta approval on this when you get a chance.
status-firefox52:
--- → affected
Flags: needinfo?(nicolas.b.pierron) → needinfo?(hv1989)
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Version: 53 Branch → Trunk
Assignee | ||
Comment 7•8 years ago
|
||
IMHO not important to backport and testcase will be fragile.
Flags: needinfo?(hv1989)
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•