Closed Bug 1509482 Opened 2 years ago Closed 2 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:145

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: bc, Assigned: iain)

References

()

Details

(Keywords: assertion)

Attachments

(2 files)

1. <https://poeapp.com/#/search/N4IghgLhBOCWBGBXCBTAzgOgDYrAc0RRAC4QATFLANyIBpwo4lVNZUBbAFQE8AHI0gCkUAd0oh67APZk0JANqhpskqBQAPXllgBjNhgDEAUgAEsAHY7ouNCjImAImHb4UJqTWgnOsdgPkAjABMtOaIWFgAuvQaWrr6xmaW1mC29gCCUGA6ANYmAMr8diYibAAWBSJS0CrE8gAcoeFRAL70EHwC4OZkIC2RLUA>

2. Windows/Linux (you may need to reload several times. I open web console, do a window.open() then in the new window do another web console then do a setInterval('opener.document.location.reload()', 30000) and wait for the assertion). Reproduced manually this way on Linux.

This is with a build after bug 1497107.

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at /builds/worker/workspace/build/src/js/src/ds/LifoAlloc.cpp:145

Program /mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox-bin (pid = 27553) received signal 11.
Stack:
#01: WasmTrapHandler(int, siginfo*, void*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#02: __restore_rt (sigaction.c:?)
#03: js::LifoAlloc::newChunkWithCapacity(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#04: js::LifoAlloc::getOrCreateChunk(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#05: js::LifoAlloc::allocImpl(unsigned long) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#06: js::HeapTypeSetKey::freeze(js::CompilerConstraintList*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#07: js::HeapTypeSetKey::isOwnProperty(js::CompilerConstraintList*, bool) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#08: js::jit::IonBuilder::testSingletonProperty(JSObject*, JS::PropertyKey) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#09: js::jit::IonBuilder::testSingletonPropertyTypes(js::jit::MDefinition*, JS::PropertyKey) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#10: js::jit::IonBuilder::getPropTryConstant(bool*, js::jit::MDefinition*, JS::PropertyKey, js::TemporaryTypeSet*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#11: js::jit::IonBuilder::jsop_getprop(js::PropertyName*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#12: js::jit::IonBuilder::inspectOpcode(JSOp) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#13: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#14: js::jit::IonBuilder::traverseBytecode() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#15: js::jit::IonBuilder::build() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#16: js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#17: js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)

Iain, interested in this one as well?
Flags: needinfo?(iireland)
Attached patch lifoalloc.patchSplinter Review
bc: Can you double-check to make sure that the fix for bug 1497107 was actually included? Note that it was only pushed 3 days ago, even though the patch was posted a week ago. I ask because I managed to make this crash almost immediately without the fix, but with the fix included I've had the page reloading in the background for the better part of an hour without triggering anything.

That said, there are a couple of loops in the stack trace above that might conceivably burn through our ballast. (In particular, I've got my eye on this one: https://searchfox.org/mozilla-central/source/js/src/jit/IonBuilder.cpp#7479-7506)

If you really are getting crashes post-1497107, would it be possible for you to test out the attached patch? It speculatively adds a couple of ensureBallast calls.
Assignee: nobody → iireland
Flags: needinfo?(iireland)
Attachment #9027259 - Flags: feedback?(bob)
Attachment #9027259 - Flags: feedback?(bob)
Flags: needinfo?(bob)
The builds I tested were at the most from the 22nd and should have included that fix.

mozversion INFO | application_buildid: 20181122214923
mozversion INFO | application_changeset: 8b245cc1086f912f84b54a6af13f015404af8e14

I asserted immediately with a build from this morning and just again with a fresh build

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at /home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.cpp:145

Program /home/bclary/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox (pid = 19816) received signal 11.
Stack:

###!!! [Parent][MessageChannel] Error: (msgtype=0x190083,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

#01: WasmTrapHandler(int, siginfo_t*, void*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/wasm/WasmSignalHandlers.cpp:713)
#02: __restore_rt (sigaction.c:?)
#03: js::LifoAlloc::newChunkWithCapacity(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.cpp:145)
#04: js::LifoAlloc::getOrCreateChunk(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/firefox-debug/dist/include/mozilla/UniquePtr.h:326)
#05: js::LifoAlloc::allocImpl(unsigned long) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.h:594)
#06: js::HeapTypeSetKey::freeze(js::CompilerConstraintList*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/ds/LifoAlloc.h:925)
#07: js::HeapTypeSetKey::isOwnProperty(js::CompilerConstraintList*, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/vm/TypeInference.cpp:1898)
#08: js::jit::IonBuilder::testSingletonProperty(JSObject*, JS::PropertyKey) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:7494)
#09: js::jit::IonBuilder::testSingletonPropertyTypes(js::jit::MDefinition*, JS::PropertyKey) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:7584)
#10: js::jit::IonBuilder::getPropTryConstant(bool*, js::jit::MDefinition*, JS::PropertyKey, js::TemporaryTypeSet*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:11087)
#11: js::jit::IonBuilder::jsop_getprop(js::PropertyName*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:10849)
#12: js::jit::IonBuilder::inspectOpcode(JSOp) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:2348)
#13: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1672)
#14: js::jit::IonBuilder::traverseBytecode() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1586)
#15: js::jit::IonBuilder::buildInline(js::jit::IonBuilder*, js::jit::MResumePoint*, js::jit::CallInfo&) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1106)
#16: js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:3986)
#17: js::jit::IonBuilder::inlineSingleCall(js::jit::CallInfo&, JSObject*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:4559)
#18: js::jit::IonBuilder::inlineCallsite(mozilla::Vector<js::jit::InliningTarget, 4ul, js::jit::JitAllocPolicy> const&, js::jit::CallInfo&) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:4614)
#19: js::jit::IonBuilder::jsop_call(unsigned int, bool, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:5718)
#20: js::jit::IonBuilder::inspectOpcode(JSOp) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:2187)
#21: js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1672)
#22: js::jit::IonBuilder::traverseBytecode() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:1586)
#23: js::jit::IonBuilder::build() (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:918)
#24: js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/IonBuilder.cpp:189)
#25: BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) (/home/bclary/mozilla/builds/nightly/mozilla/js/src/jit/Ion.cpp:2569)

applying your patch I didn't assert. I did the automatic reload for a few minutes and couldn't reproduce. I then backed out your patch rebuilt and asserted immediately again. This is on Fedora 29 with 4.19.2 301 kernel and recently updated glibc fwiw.
Flags: needinfo?(bob)
Great, thanks! We can land the patch once I've taken a shot at writing a testcase to trigger the same bug more reliably.
Comment on attachment 9027259 [details] [diff] [review]
lifoalloc.patch

Review of attachment 9027259 [details] [diff] [review]:
-----------------------------------------------------------------

It seems to me that these allocation all share a single allocation site, which seems to already have code to handle OOMs.

What do you think about adding a fallible allocation scope (LifoAlloc::AutoFallibleScope) around the allocation made in the freeze function:
  https://searchfox.org/mozilla-central/rev/f997bd6bbfc4773e774fdb6cd010142370d186f9/js/src/vm/TypeInference.cpp#1793

Any failure to allocate a constraint will cause a failure once the compilation is finished (which might be extremely late, but better than nothing):
  https://searchfox.org/mozilla-central/rev/f997bd6bbfc4773e774fdb6cd010142370d186f9/js/src/vm/TypeInference.cpp#1595

Otherwwise this patch sounds good to me.
Attachment #9027259 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/f58c9289f62e
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.