Closed Bug 1497107 Opened 1 year ago Closed 1 year ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:145


(Core :: JavaScript Engine, defect, P2)




Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed


(Reporter: bc, Assigned: iain)


(Blocks 1 open bug, )


(Keywords: assertion, reproducible)


(2 files)


Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at z:/build/build/src/js/src/ds/LifoAlloc.cpp:145

Bughunter found on Windows, I reproduced locally on Linux (may require reload). No crash on opt at least locally on Linux.
This is a debug-only assertion, which checks that we have a fallible allocator when we allocate new chunks. In release build this should crash only on actual OOM.

This bug should be actionable from the stack trace.
Iain, do you mind continuing on fixing these IonBuilder missing checks for ensureBalast?
Flags: needinfo?(iireland)
Priority: -- → P2
This bug looks much more tractable than my last ensureBallast bug.

The problem is IonBuilder::freezePropertiesForCommonPrototype:

There are two nested loops. The outer loop iterates over the contents of a TemporaryTypeSet (in this case, with capacity 64). The inner loop walks up the prototype chain, calling isOwnProperty on each element. isOwnProperty allocates ~64 bytes each time it is called, and we call it nearly 400 times before running out of ballast (even though we had more than enough ballast when entering this function.)

The script that triggers the bug is on line 144 of this youtube webcomponents js: I haven't made an effort at a cutdown testcase yet.

Awkwardly, freezePropertiesForCommonPrototype is a couple of levels deep in code that does not expect to be able to fail, so it will take a little bit of surgery to fix this.
Flags: needinfo?(iireland)
Pushed by
Add ensureBallast call to freezePropertiesForCommonPrototype r=nbp
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Assignee: nobody → iireland
See Also: → 1509482
Flags: needinfo?(iireland)
You need to log in before you can comment on or make changes to this bug.