Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

RESOLVED FIXED in Firefox 56

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: tcampbell)

Tracking

(Blocks 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla56
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox54 wontfix, firefox55 wontfix, firefox56 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

Reporter

Description

2 years ago
The following testcase crashes on mozilla-central revision 5928d905c0bc (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
for (var i = 0; i < 1; i++) {
    // Adapted from randomly chosen test: js/src/tests/js1_8_5/regress/regress-698028-2.js
    for (let x of [0]) {
        var dbg = new g.Debugger(this);
        if (typeof b === 'function') {
            let x00, x01, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f,
                x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d,
                x1e, x1f, x80, x81, x82, x83, x84, x85, x86, x87, x88, x89, x8a, x8b,
                x8c, x8d, x8e, xa0, xa1, xa2, xa3, xa4, xa5, xa6, xa7, xa8, xa9, xaa,
                xab, xac, xad, xae, xaf, xb0, xb1, xb2, xb3, xb4, xb5, xb6, xb7, xb8,
                xb9, xba, xbb, xbc, xbd, xbe, xbf, xc0, xc1, xc2, xc3, xc4, xc5, xc6,
                xc7, xc8, xc9, xca, xcb, xcc, xcd, xce, xcf, xd0, xd1, xd2, xd3, xd4,
                xd5, xd6, xd7, xd8, xd9, xda, xdb, xdc, xdd, xde, xdf, xe0, xe1, xe2,
                xe3, xe4, xe5, xe6, xe7, xe8, xe9, xea, xeb, xec, xed, xee, xef, xf0,
                xf1, xf2, xf3, xf4, xf5, xf6, xf7, xf8, xf9, xfa, xfb, xfc, xfd, xfe,
                xff;
            b();
        }
        a();
    }
}

Backtrace:

#0  js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7f270fcca040, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#1  0x000000000061004b in js::LifoAlloc::allocImpl (this=0x7f270fcca040, n=120) at js/src/ds/LifoAlloc.h:225
#2  0x0000000000686b3a in js::LifoAlloc::allocInfallible (this=<optimized out>, n=<optimized out>) at js/src/ds/LifoAlloc.h:291
#3  0x0000000000799d50 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44
#4  js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162
#5  js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1121
#6  js::jit::MConstant::New (alloc=..., v=..., constraints=constraints@entry=0x0) at js/src/jit/MIR.cpp:804
#7  0x00000000006ee8f5 in (anonymous namespace)::TypeAnalyzer::replaceRedundantPhi (phi=0x7f270e755740, this=0x7ffda7cf02c0) at js/src/jit/IonAnalysis.cpp:1715
/snip

For detailed crash information, see attachment.
Reporter

Comment 2

2 years ago
Setting needinfo? from Ted as a start... (feel free to bounce it on!), also cc'ing :nbp.
Flags: needinfo?(tcampbell)
Assignee

Comment 3

2 years ago
Problem is exactly where trace shows it. The unbounded loop is here: https://searchfox.org/mozilla-central/rev/3a3af33f513071ea829debdfbc628caebcdf6996/js/src/jit/IonAnalysis.cpp#1739

I'll put together a fix.

Note to self: Do experiment to bisect the ballast value to find upper-bound over jit-test --ion-eager. See if more of these are cases are missed and easily detected.
Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Reporter

Comment 4

2 years ago
Talking about bisection, I'm bisecting the potential regressor as I write this.
Reporter

Comment 5

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f5acec377801
user:        Jan de Mooij
date:        Sat Jul 22 14:31:45 2017 +0200
summary:     Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder and ControlFlowGenerator. r=nbp

Is this a likely regressor?
Blocks: 1382973
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> summary:     Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder
> and ControlFlowGenerator. r=nbp
> 
> Is this a likely regressor?

No, if this is in type analysis it's very unlikely to be related.
No longer blocks: 1382973
Comment hidden (mozreview-request)

Comment 8

2 years ago
mozreview-review
Comment on attachment 8890555 [details]
Bug 1383972 - [Ion] Fix allocation error with too many MPhis.

https://reviewboard.mozilla.org/r/161696/#review167250

Thanks.
Attachment #8890555 - Flags: review?(nicolas.b.pierron) → review+

Comment 9

2 years ago
hg error in cmd: hg pull gecko -r ee2808e2f3b47e6c9acaadb7fecaf2926317e66c: pulling from https://reviewboard-hg.mozilla.org/gecko
abort: HTTP Error 500: Internal Server Error

Comment 10

2 years ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/fcd8bb8c31f7
[Ion] Fix allocation error with too many MPhis. r=nbp

Comment 11

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/fcd8bb8c31f7
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.