Closed Bug 1383972 Opened 7 years ago Closed 7 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: gkw, Assigned: tcampbell)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 5928d905c0bc (build with --enable-debug --enable-more-deterministic --without-intl-api, run with --fuzzing-safe --no-threads --ion-eager):

// jsfunfuzz-generated
for (var i = 0; i < 1; i++) {
    // Adapted from randomly chosen test: js/src/tests/js1_8_5/regress/regress-698028-2.js
    for (let x of [0]) {
        var dbg = new g.Debugger(this);
        if (typeof b === 'function') {
            let x00, x01, x04, x05, x06, x07, x08, x09, x0a, x0b, x0c, x0d, x0e, x0f,
                x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x1a, x1b, x1c, x1d,
                x1e, x1f, x80, x81, x82, x83, x84, x85, x86, x87, x88, x89, x8a, x8b,
                x8c, x8d, x8e, xa0, xa1, xa2, xa3, xa4, xa5, xa6, xa7, xa8, xa9, xaa,
                xab, xac, xad, xae, xaf, xb0, xb1, xb2, xb3, xb4, xb5, xb6, xb7, xb8,
                xb9, xba, xbb, xbc, xbd, xbe, xbf, xc0, xc1, xc2, xc3, xc4, xc5, xc6,
                xc7, xc8, xc9, xca, xcb, xcc, xcd, xce, xcf, xd0, xd1, xd2, xd3, xd4,
                xd5, xd6, xd7, xd8, xd9, xda, xdb, xdc, xdd, xde, xdf, xe0, xe1, xe2,
                xe3, xe4, xe5, xe6, xe7, xe8, xe9, xea, xeb, xec, xed, xee, xef, xf0,
                xf1, xf2, xf3, xf4, xf5, xf6, xf7, xf8, xf9, xfa, xfb, xfc, xfd, xfe,
                xff;
            b();
        }
        a();
    }
}

Backtrace:

#0  js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7f270fcca040, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#1  0x000000000061004b in js::LifoAlloc::allocImpl (this=0x7f270fcca040, n=120) at js/src/ds/LifoAlloc.h:225
#2  0x0000000000686b3a in js::LifoAlloc::allocInfallible (this=<optimized out>, n=<optimized out>) at js/src/ds/LifoAlloc.h:291
#3  0x0000000000799d50 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44
#4  js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162
#5  js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1121
#6  js::jit::MConstant::New (alloc=..., v=..., constraints=constraints@entry=0x0) at js/src/jit/MIR.cpp:804
#7  0x00000000006ee8f5 in (anonymous namespace)::TypeAnalyzer::replaceRedundantPhi (phi=0x7f270e755740, this=0x7ffda7cf02c0) at js/src/jit/IonAnalysis.cpp:1715
/snip

For detailed crash information, see attachment.
Setting needinfo? from Ted as a start... (feel free to bounce it on!), also cc'ing :nbp.
Flags: needinfo?(tcampbell)
Problem is exactly where trace shows it. The unbounded loop is here: https://searchfox.org/mozilla-central/rev/3a3af33f513071ea829debdfbc628caebcdf6996/js/src/jit/IonAnalysis.cpp#1739

I'll put together a fix.

Note to self: Do experiment to bisect the ballast value to find upper-bound over jit-test --ion-eager. See if more of these are cases are missed and easily detected.
Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Talking about bisection, I'm bisecting the potential regressor as I write this.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f5acec377801
user:        Jan de Mooij
date:        Sat Jul 22 14:31:45 2017 +0200
summary:     Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder and ControlFlowGenerator. r=nbp

Is this a likely regressor?
Blocks: 1382973
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
> summary:     Bug 1382973 part 8 - Remove BytecodeAnalysis from IonBuilder
> and ControlFlowGenerator. r=nbp
> 
> Is this a likely regressor?

No, if this is in type analysis it's very unlikely to be related.
No longer blocks: 1382973
Comment on attachment 8890555 [details]
Bug 1383972 - [Ion] Fix allocation error with too many MPhis.

https://reviewboard.mozilla.org/r/161696/#review167250

Thanks.
Attachment #8890555 - Flags: review?(nicolas.b.pierron) → review+
hg error in cmd: hg pull gecko -r ee2808e2f3b47e6c9acaadb7fecaf2926317e66c: pulling from https://reviewboard-hg.mozilla.org/gecko
abort: HTTP Error 500: Internal Server Error
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/fcd8bb8c31f7
[Ion] Fix allocation error with too many MPhis. r=nbp
https://hg.mozilla.org/mozilla-central/rev/fcd8bb8c31f7
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.