Closed
Bug 1383972
Opened 7 years ago
Closed 7 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: gkw, Assigned: tcampbell)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 5928d905c0bc (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --ion-eager): // jsfunfuzz-generated for (var i = 0; i < 1; i++) { // Adapted from randomly chosen test: js/src/tests/js1_8_5/regress/regress-698028-2.js for (let x of [0]) { var dbg = new g.Debugger(this); if (typeof b === 'function') { let x00, x01, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d, x1e, x1f, x80, x81, x82, x83, x84, x85, x86, x87, x88, x89, x8a, x8b, x8c, x8d, x8e, xa0, xa1, xa2, xa3, xa4, xa5, xa6, xa7, xa8, xa9, xaa, xab, xac, xad, xae, xaf, xb0, xb1, xb2, xb3, xb4, xb5, xb6, xb7, xb8, xb9, xba, xbb, xbc, xbd, xbe, xbf, xc0, xc1, xc2, xc3, xc4, xc5, xc6, xc7, xc8, xc9, xca, xcb, xcc, xcd, xce, xcf, xd0, xd1, xd2, xd3, xd4, xd5, xd6, xd7, xd8, xd9, xda, xdb, xdc, xdd, xde, xdf, xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, xe8, xe9, xea, xeb, xec, xed, xee, xef, xf0, xf1, xf2, xf3, xf4, xf5, xf6, xf7, xf8, xf9, xfa, xfb, xfc, xfd, xfe, xff; b(); } a(); } } Backtrace: #0 js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7f270fcca040, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105 #1 0x000000000061004b in js::LifoAlloc::allocImpl (this=0x7f270fcca040, n=120) at js/src/ds/LifoAlloc.h:225 #2 0x0000000000686b3a in js::LifoAlloc::allocInfallible (this=<optimized out>, n=<optimized out>) at js/src/ds/LifoAlloc.h:291 #3 0x0000000000799d50 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44 #4 js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162 #5 js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1121 #6 js::jit::MConstant::New (alloc=..., v=..., constraints=constraints@entry=0x0) at js/src/jit/MIR.cpp:804 #7 0x00000000006ee8f5 in (anonymous namespace)::TypeAnalyzer::replaceRedundantPhi (phi=0x7f270e755740, this=0x7ffda7cf02c0) at js/src/jit/IonAnalysis.cpp:1715 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Setting needinfo? from Ted as a start... (feel free to bounce it on!), also cc'ing :nbp.
Flags: needinfo?(tcampbell)
Assignee | ||
Comment 3•7 years ago
|
||
Problem is exactly where trace shows it. The unbounded loop is here: https://searchfox.org/mozilla-central/rev/3a3af33f513071ea829debdfbc628caebcdf6996/js/src/jit/IonAnalysis.cpp#1739 I'll put together a fix. Note to self: Do experiment to bisect the ballast value to find upper-bound over jit-test --ion-eager. See if more of these are cases are missed and easily detected.
Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Reporter | ||
Comment 4•7 years ago
|
||
Talking about bisection, I'm bisecting the potential regressor as I write this.
Reporter | ||
Comment 5•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f5acec377801 user: Jan de Mooij date: Sat Jul 22 14:31:45 2017 +0200 summary: Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder and ControlFlowGenerator. r=nbp Is this a likely regressor?
Blocks: 1382973
Comment 6•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > summary: Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder > and ControlFlowGenerator. r=nbp > > Is this a likely regressor? No, if this is in type analysis it's very unlikely to be related.
No longer blocks: 1382973
Comment hidden (mozreview-request) |
Comment 8•7 years ago
|
||
mozreview-review |
Comment on attachment 8890555 [details] Bug 1383972 - [Ion] Fix allocation error with too many MPhis. https://reviewboard.mozilla.org/r/161696/#review167250 Thanks.
Attachment #8890555 -
Flags: review?(nicolas.b.pierron) → review+
Comment 9•7 years ago
|
||
hg error in cmd: hg pull gecko -r ee2808e2f3b47e6c9acaadb7fecaf2926317e66c: pulling from https://reviewboard-hg.mozilla.org/gecko abort: HTTP Error 500: Internal Server Error
Comment 10•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/fcd8bb8c31f7 [Ion] Fix allocation error with too many MPhis. r=nbp
Comment 11•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/fcd8bb8c31f7
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•