Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:145

RESOLVED FIXED in Firefox 65

Status

()

defect
RESOLVED FIXED
6 months ago
6 months ago

People

(Reporter: bc, Assigned: iain)

Tracking

(Blocks 1 bug, {assertion})

unspecified
mozilla65
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox63 wontfix, firefox64 wontfix, firefox65 fixed)

Details

()

Attachments

(2 attachments)

Reporter

Description

6 months ago
1. <https://poeapp.com/#/search/N4IghgLhBOCWBGBXCBTAzgOgDYrAc0RRAC4QATFLANyIBpwo4lVNZUBbAFQE8AHI0gCkUAd0oh67APZk0JANqhpskqBQAPXllgBjNhgDEAUgAEsAHY7ouNCjImAImHb4UJqTWgnOsdgPkAjABMtOaIWFgAuvQaWrr6xmaW1mC29gCCUGA6ANYmAMr8diYibAAWBSJS0CrE8gAcoeFRAL70EHwC4OZkIC2RLUA>

2. Windows/Linux (you may need to reload several times. I open web console, do a window.open() then in the new window do another web console then do a setInterval('opener.document.location.reload()', 30000) and wait for the assertion). Reproduced manually this way on Linux.

This is with a build after bug 1497107.

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at /builds/worker/workspace/build/src/js/src/ds/LifoAlloc.cpp:145

Program /mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox-bin (pid = 27553) received signal 11.
Stack:
#01: WasmTrapHandler(int, siginfo*, void*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#02: __restore_rt (sigaction.c:?)
#03: js::LifoAlloc::newChunkWithCapacity(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#04: js::LifoAlloc::getOrCreateChunk(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#05: js::LifoAlloc::allocImpl(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#06: js::HeapTypeSetKey::freeze(js::CompilerConstraintList*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#07: js::HeapTypeSetKey::isOwnProperty(js::CompilerConstraintList*, bool) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#08: js::jit::IonBuilder::testSingletonProperty(JSObject*, JS::PropertyKey) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#09: js::jit::IonBuilder::testSingletonPropertyTypes(js::jit::MDefinition*, JS::PropertyKey) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#10: js::jit::IonBuilder::getPropTryConstant(bool*, js::jit::MDefinition*, JS::PropertyKey, js::TemporaryTypeSet*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#11: js::jit::IonBuilder::jsop_getprop(js::PropertyName*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#12: js::jit::IonBuilder::inspectOpcode(JSOp) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#13: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#14: js::jit::IonBuilder::traverseBytecode() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#15: js::jit::IonBuilder::build() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#16: js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#17: js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)

Iain, interested in this one as well?
Flags: needinfo?(iireland)
Assignee

Comment 1

6 months ago
bc: Can you double-check to make sure that the fix for bug 1497107 was actually included? Note that it was only pushed 3 days ago, even though the patch was posted a week ago. I ask because I managed to make this crash almost immediately without the fix, but with the fix included I've had the page reloading in the background for the better part of an hour without triggering anything.

That said, there are a couple of loops in the stack trace above that might conceivably burn through our ballast. (In particular, I've got my eye on this one: https://searchfox.org/mozilla-central/source/js/src/jit/IonBuilder.cpp#7479-7506)

If you really are getting crashes post-1497107, would it be possible for you to test out the attached patch? It speculatively adds a couple of ensureBallast calls.
Assignee: nobody → iireland
Flags: needinfo?(iireland)
Attachment #9027259 - Flags: feedback?(bob)
Assignee

Updated

6 months ago
Attachment #9027259 - Flags: feedback?(bob)
Assignee

Updated

6 months ago
Flags: needinfo?(bob)
Reporter

Comment 2

6 months ago
The builds I tested were at the most from the 22nd and should have included that fix.

mozversion INFO | application_buildid: 20181122214923
mozversion INFO | application_changeset: 8b245cc1086f912f84b54a6af13f015404af8e14

I asserted immediately with a build from this morning and just again with a fresh build

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at /home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.cpp:145

Program /home/bclary/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox (pid = 19816) received signal 11.
Stack:

###!!! [Parent][MessageChannel] Error: (msgtype=0x190083,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

#01: WasmTrapHandler(int, siginfo_t*, void*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/wasm/WasmSignalHandlers.cpp:713)
#02: __restore_rt (sigaction.c:?)
#03: js::LifoAlloc::newChunkWithCapacity(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.cpp:145)
#04: js::LifoAlloc::getOrCreateChunk(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/firefox-debug/dist/include/mozilla/UniquePtr.h:326)
#05: js::LifoAlloc::allocImpl(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.h:594)
#06: js::HeapTypeSetKey::freeze(js::CompilerConstraintList*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.h:925)
#07: js::HeapTypeSetKey::isOwnProperty(js::CompilerConstraintList*, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/vm/TypeInference.cpp:1898)
#08: js::jit::IonBuilder::testSingletonProperty(JSObject*, JS::PropertyKey) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:7494)
#09: js::jit::IonBuilder::testSingletonPropertyTypes(js::jit::MDefinition*, JS::PropertyKey) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:7584)
#10: js::jit::IonBuilder::getPropTryConstant(bool*, js::jit::MDefinition*, JS::PropertyKey, js::TemporaryTypeSet*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:11087)
#11: js::jit::IonBuilder::jsop_getprop(js::PropertyName*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:10849)
#12: js::jit::IonBuilder::inspectOpcode(JSOp) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:2348)
#13: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1672)
#14: js::jit::IonBuilder::traverseBytecode() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1586)
#15: js::jit::IonBuilder::buildInline(js::jit::IonBuilder*, js::jit::MResumePoint*, js::jit::CallInfo&) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1106)
#16: js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:3986)
#17: js::jit::IonBuilder::inlineSingleCall(js::jit::CallInfo&, JSObject*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:4559)
#18: js::jit::IonBuilder::inlineCallsite(mozilla::Vector<js::jit::InliningTarget, 4ul, js::jit::JitAllocPolicy> const&, js::jit::CallInfo&) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:4614)
#19: js::jit::IonBuilder::jsop_call(unsigned int, bool, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:5718)
#20: js::jit::IonBuilder::inspectOpcode(JSOp) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:2187)
#21: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1672)
#22: js::jit::IonBuilder::traverseBytecode() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1586)
#23: js::jit::IonBuilder::build() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:918)
#24: js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:189)
#25: BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/Ion.cpp:2569)

applying your patch I didn't assert. I did the automatic reload for a few minutes and couldn't reproduce. I then backed out your patch rebuilt and asserted immediately again. This is on Fedora 29 with 4.19.2 301 kernel and recently updated glibc fwiw.
Flags: needinfo?(bob)
Assignee

Comment 3

6 months ago
Great, thanks! We can land the patch once I've taken a shot at writing a testcase to trigger the same bug more reliably.
Comment on attachment 9027259 [details] [diff] [review]
lifoalloc.patch

Review of attachment 9027259 [details] [diff] [review]:
-----------------------------------------------------------------

It seems to me that these allocation all share a single allocation site, which seems to already have code to handle OOMs.

What do you think about adding a fallible allocation scope (LifoAlloc::AutoFallibleScope) around the allocation made in the freeze function:
  https://searchfox.org/mozilla-central/rev/f997bd6bbfc4773e774fdb6cd010142370d186f9/js/src/vm/TypeInference.cpp#1793

Any failure to allocate a constraint will cause a failure once the compilation is finished (which might be extremely late, but better than nothing):
  https://searchfox.org/mozilla-central/rev/f997bd6bbfc4773e774fdb6cd010142370d186f9/js/src/vm/TypeInference.cpp#1595

Otherwwise this patch sounds good to me.
Attachment #9027259 - Flags: review+

Comment 7

6 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/f58c9289f62e
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.