Closed
Bug 1646045
Opened 4 years ago
Closed 4 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at ds/LifoAlloc.cpp:173
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla79
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | wontfix |
| firefox77 | --- | unaffected |
| firefox78 | --- | wontfix |
| firefox79 | --- | verified |
People
(Reporter: decoder, Assigned: iain)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200615-f05a0084c5f2 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --disable-oom-functions --disable-oom-functions --ion-check-range-analysis --ion-full-warmup-threshold=0 --more-compartments --baseline-eager):
See attachment.
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555555faf245 in js::LifoAlloc::newChunkWithCapacity(unsigned long, bool) ()
#0 0x0000555555faf245 in js::LifoAlloc::newChunkWithCapacity(unsigned long, bool) ()
#1 0x0000555555faf441 in js::LifoAlloc::getOrCreateChunk(unsigned long) ()
#2 0x0000555555faf7bb in js::LifoAlloc::allocImplColdPath(unsigned long) ()
#3 0x000055555646d8bf in js::jit::TempAllocator::allocateInfallible(unsigned long) ()
#4 0x0000555556675df3 in js::jit::FoldLoadsWithUnbox(js::jit::MIRGenerator*, js::jit::MIRGraph&) ()
#5 0x000055555666e247 in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#6 0x0000555556677ae9 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7 0x000055555668be61 in js::jit::IonCompile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool, js::jit::OptimizationLevel) ()
#8 0x0000555556678f81 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned int, unsigned char*, bool) ()
#9 0x00005555566796e7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned int, unsigned char*) ()
#10 0x00000fe8d5302875 in ?? ()
[...]
#60 0x0000000000000000 in ?? ()
rax 0x5555570b6092 93825020944530
rbx 0x7ffff53c2510 140737307747600
rcx 0x5555583de980 93825041033600
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffa5a0 140737488332192
rsp 0x7fffffffa580 140737488332160
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f9bd40 140737353727296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7ffff4fbb958 140737303525720
r13 0x7ffff4fb43d8 140737303495640
r14 0x7fffffffa5f0 140737488332272
r15 0x7ffff53c2510 140737307747600
rip 0x555555faf245 <js::LifoAlloc::newChunkWithCapacity(unsigned long, bool)+325>
=> 0x555555faf245 <_ZN2js9LifoAlloc20newChunkWithCapacityEmb+325>: movl $0xad,0x0
0x555555faf250 <_ZN2js9LifoAlloc20newChunkWithCapacityEmb+336>: callq 0x555555849bee <abort>
This bug was really hard to reduce and won't reduce further. It would be good to tackle this while it still reproduces, it seems to be fragile, but the fuzzer still hits it quite often. Must be a recent regression.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 2•4 years ago
|
||
Looks like FoldLoadsWithUnbox needs an ensureBallast. I'll put up a patch.
|
|
Assignee | |
Comment 3•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → iireland
Status: NEW → ASSIGNED
|
||
Updated•4 years ago
|
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
|
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200616154959-89a54069f124.
The bug appears to have been introduced in the following build range:
> Start: 5f052981c734c4d888e139f289cbcfc21217afc1 (20200527150323)
> End: abab86b25b5f76406c11bdde1b0823990713efee (20200527150449)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5f052981c734c4d888e139f289cbcfc21217afc1&tochange=abab86b25b5f76406c11bdde1b0823990713efee
|
||
Updated•4 years ago
|
status-firefox77:
--- → unaffected
status-firefox78:
--- → wontfix
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → fix-optional
Regressed by: 1640829
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6de6943d856f
Add ensureBallast to FoldLoadsWithUnbox r=jandem
|
||
Comment 6•4 years ago
|
||
Backed out changeset 6de6943d856f for causing failures in test_notification_openWindow.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/5bcc680a02d8b0236ebc1a9d7b0ae8fc85d9a9cb
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=306680403&repo=autoland&lineNumber=3364
Flags: needinfo?(iireland)
Pushed by malexandru@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45512060bc9d
Add ensureBallast to FoldLoadsWithUnbox r=jandem DONTBUILD
|
|
||
Comment 8•4 years ago
|
||
Re-landed changeset 6de6943d856f since it was not the cause of the failures, re-land link:
https://hg.mozilla.org/integration/autoland/rev/45512060bc9dd0d6b072d7a8c530de849c4b49c9
Sorry for the inconvenience!
Flags: needinfo?(iireland)
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
|
|
||
Updated•4 years ago
|
|
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
|
|
||
Updated•4 years ago
|
|
|
||
Comment 11•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200618094105-f291dd9e075c.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•