Closed Bug 1703766 Opened 3 years ago Closed 3 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at ds/LifoAlloc.cpp:173

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- fixed

People

(Reporter: decoder, Assigned: iain)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

Bug 1703766: Add missing ensureBallast in branch pruning r=jandem
48 bytes, text/x-phabricator-request
Details | Review

The following crash appeared on mozilla-central revision 20210407-b740f950e497 (debug build, run with --fuzzing-safe --differential-testing --wasm-compiler=baseline+optimizing --test-wasm-await-tier2 --no-sse3 --ion-pruning=on --ion-extra-checks --ion-warmup-threshold=100 --ion-edgecase-analysis=off --ion-gvn=off --fast-warmup --more-compartments --gc-zeal=18,386 --baseline-warmup-threshold=0 --no-threads).

There is no reproducible testcase for this issue but it happens frequently in fuzzing.

Backtrace:

#0  0x000056066e3f81af in js::LifoAlloc::newChunkWithCapacity(unsigned long, bool) ()
#1  0x000056066e3f83a1 in js::LifoAlloc::getOrCreateChunk(unsigned long) ()
#2  0x000056066e3f877b in js::LifoAlloc::allocImplColdPath(unsigned long) ()
#3  0x000056066e88e1ef in js::jit::TempAllocator::allocateInfallible(unsigned long) ()
#4  0x000056066eb39941 in js::jit::PruneUnusedBranches(js::jit::MIRGenerator*, js::jit::MIRGraph&) ()
#5  0x000056066eb372aa in js::jit::OptimizeMIR(js::jit::MIRGenerator*) ()
#6  0x000056066eb3fb6c in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) ()
#7  0x000056066eb41452 in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) ()
#8  0x000056066eb41fc7 in IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) ()
#9  0x00001f0fea323715 in ?? ()
[...]
#39 0x0000000000000000 in ?? ()
Attached file Testcase (obsolete) — 

    
    

    
  
Jan suggested this might be related to the recent branch pruning changes and that we might be able to fix this without a testcase. Iain, can you take a look? Thx!


Flags: needinfo?(iireland)
Assignee: nobody → iireland
Status: NEW → ASSIGNED

    
    

    
  
Yeah, I can fix this without a testcase. We're missing a call to ensureBallast; the test case probably didn't reduce well because we have a limit on the size of main-thread compilations, and it's hard to make a CFG large enough for pruning to use up all the ballast without exceeding that limit, so we have to race an off-thread compilation against main-thread execution.


Flags: needinfo?(iireland)

    
    

    
  
Pushed by iireland@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/61416db392c7
Add missing ensureBallast in branch pruning r=jandem
Severity: -- → S3
Priority: -- → P1

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/61416db392c7


Status: ASSIGNED → RESOLVED
Closed: 3 years ago

          status-firefox89:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

    
    

    
      
  

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: