Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

RESOLVED FIXED in Firefox 54

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: decoder, Assigned: h4writer)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla54
x86_64
Linux
assertion, jsbugmon, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox52 wontfix, firefox53 wontfix, firefox54 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 attachment)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision 701868bfddcb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager --ion-aa=flow-sensitive):

try {
    evaluate(` 
      function TestCase(n, a) {
        value = value.replace(/n/, 'NL').replace(/n/, 'NL').replace(r/g).replace
        return value;
      }
      setJitCompilerOption("ion.warmup.trigger", 2);
      TestCase();
    `)
} catch (exc) {}
function newFunc(x) Function(x)();
newFunc(`
var SECTION;
new TestCase( SECTIONNumberNaN + "" );
new TestCase;
new TestCase;
TestCase( NEGATIVE_INFINITY + "" );
new TestCase;
TestCase( + "");
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase + new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#0  js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#1  0x00000000005f6d03 in js::LifoAlloc::allocImpl (n=120, this=0x7ffff3332180) at js/src/ds/LifoAlloc.h:225
#2  js::LifoAlloc::allocInfallible (this=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.h:291
#3  0x00000000007084f0 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44
#4  js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162
#5  js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1123
#6  js::jit::MConstant::New (constraints=0x0, v=..., alloc=...) at js/src/jit/MIR.cpp:806
#7  js::jit::MBasicBlock::optimizedOutConstant (this=0x7ffff69cd020, alloc=...) at js/src/jit/MIRGraph.cpp:919
#8  0x00000000005fc5cd in EliminateTriviallyDeadResumePointOperands (graph=..., rp=0x7ffff69cd3c0) at js/src/jit/IonAnalysis.cpp:977
#9  0x0000000000619093 in EliminateTriviallyDeadResumePointOperands (rp=<optimized out>, graph=...) at js/src/jit/IonAnalysis.cpp:967
#10 js::jit::EliminateDeadResumePointOperands (mir=mir@entry=0x7ffff69b0278, graph=...) at js/src/jit/IonAnalysis.cpp:1005
#11 0x000000000065a780 in js::jit::EliminateDeadResumePointOperands (graph=..., mir=0x7ffff69b0278) at js/src/jit/FlowAliasAnalysis.h:24
#12 js::jit::OptimizeMIR (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:1713
#13 0x000000000065b9d6 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:2067
#14 0x000000000065c55b in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb6a8, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2351
#15 0x000000000065ccb2 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb6a8, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2533
#16 0x000000000065d5c2 in BaselineCanEnterAtEntry (frame=0x7fffffffb6a8, script=..., cx=0x7ffff695f000) at js/src/jit/Ion.cpp:2662
#17 js::jit::IonCompileScriptForBaseline (cx=0x7ffff695f000, frame=0x7fffffffb6a8, pc=<optimized out>) at js/src/jit/Ion.cpp:2785
#18 0x00007ffff7e45cd0 in ?? ()
[...]
#40 0x0000000000000000 in ?? ()
rax	0x204e520	33875232
rbx	0x1217988	18971016
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffad30	140737488334128
rsp	0x7fffffffac70	140737488333936
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff3531fe8	140737275699176
r13	0x7ffff3332180	140737273602432
r14	0x78	120
r15	0x0	0
rip	0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944>
=> 0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944>:	movl   $0x0,0x0
   0x82503b <js::LifoAlloc::getOrCreateChunk(unsigned long)+955>:	ud2
Flags: needinfo?(nicolas.b.pierron)
Version: Trunk → 53 Branch

Updated

a year ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]

Comment 1

a year ago
JSBugMon: Cannot process bug: Error: Unsupported branch "53 Branch" required by bug

Updated

a year ago
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]

Comment 2

a year ago
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "53 Branch" required by bug
(Assignee)

Comment 3

a year ago
Created attachment 8830246 [details] [diff] [review]
Patch
Assignee: nobody → hv1989
Attachment #8830246 - Flags: review?(nicolas.b.pierron)
(Assignee)

Updated

a year ago
Priority: -- → P1
Attachment #8830246 - Flags: review?(nicolas.b.pierron) → review+

Comment 4

a year ago
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/98e7a11da7c8
IonMonkey - Ensure ballast in EliminateDeadResumePointOperands, r=nbp

Comment 5

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/98e7a11da7c8
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
AFAICT, this is an old bug. Please request Aurora/Beta approval on this when you get a chance.
status-firefox52: --- → affected
Flags: needinfo?(nicolas.b.pierron) → needinfo?(hv1989)
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Version: 53 Branch → Trunk
(Assignee)

Comment 7

a year ago
IMHO not important to backport and testcase will be fragile.
Flags: needinfo?(hv1989)
status-firefox52: affected → wontfix
status-firefox53: affected → wontfix
You need to log in before you can comment on or make changes to this bug.