Closed Bug 1812148 Opened 10 months ago Closed 10 months ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at ds/LifoAlloc.cpp:169

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

defect

Tracking

()

RESOLVED FIXED
111 Branch
Tracking Status
firefox111 --- fixed

People

(Reporter: lukas.bernhard, Assigned: anba)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Steps to reproduce:

On git commit c711b8f39ba2487886d4be6531e22a3b757cc113 the attached sample crashes with Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:169.
Invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --baseline-warmup-threshold=10 --fuzzing-safe --ion-warmup-threshold=100 crash.js

const f = (x) => 1;
for (let v4 = 0; v4 < 100; v4++) {
    for (const v8 of "arguments") {
        v8 == "a";
        Symbol.for().description;
        Symbol.for();
        Symbol.for();
    }   
    const v16 = Symbol.search;
    let v17 = v16.description;
    Symbol.for("arguments");
    const v19 = v16.description;
    v17 = 0;
    const v21 = Symbol.for(v19).description;
    Symbol.for(v21);
    Symbol.for(v21);
    const v25 = Symbol.for().description;
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for().description;
    Symbol.for();
    Symbol.for();
    Symbol.for().description;
    Symbol.for();
    Symbol.for(v25).description;
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for();
    const v42 = (1024)[v16];
    const v43 = Symbol();
    Symbol.for(v19).description;
    Symbol.for();
    Symbol.for();
    Symbol.for(v21).description;
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol.for();
    Symbol[v43] ||= v42;
}
f(0);
f(0);
f(0);
f(0);
#0  js::LifoAlloc::newChunkWithCapacity (this=0x7ffff74192e0, n=104, oversize=false)
    at js/src/ds/LifoAlloc.cpp:168
#1  0x0000555557641fcf in js::LifoAlloc::getOrCreateChunk (this=0x7ffff74192e0, n=<optimized out>)
    at js/src/ds/LifoAlloc.cpp:221
#2  js::LifoAlloc::allocImplColdPath (this=0x7ffff74192e0, n=104) at js/src/ds/LifoAlloc.cpp:231
#3  0x0000555557b7041d in js::LifoAlloc::allocImpl (this=0x7ffff74192e0, n=104)
    at js/src/ds/LifoAlloc.h:762
#4  js::LifoAlloc::allocInfallible (this=0x7ffff74192e0, n=104) at js/src/ds/LifoAlloc.h:857
#5  0x0000555557fa5746 in js::jit::TempAllocator::allocateInfallible (this=0x55555676bcd0, bytes=104)
    at js/src/jit/JitAllocPolicy.h:45
#6  js::jit::TempObject::operator new (nbytes=104, alloc=...) at js/src/jit/JitAllocPolicy.h:135
#7  js::jit::MInstruction::operator new (nbytes=104, alloc=...) at js/src/jit/MIR.h:1008
#8  js::jit::MDebugEnterGCUnsafeRegion::New<>(js::jit::TempAllocator&) (alloc=...)
    at js/src/jit/MIR.h:1278
#9  js::jit::AddKeepAliveInstructions (graph=...) at js/src/jit/IonAnalysis.cpp:4123
#10 0x0000555557f965cf in js::jit::OptimizeMIR (mir=0x7ffff4c78178) at js/src/jit/Ion.cpp:1401
#11 0x0000555557fa6f69 in js::jit::CompileBackEnd (mir=0x7ffff4c78178, snapshot=<optimized out>)
    at js/src/jit/Ion.cpp:1515
#12 0x0000555557fdb09a in js::jit::IonCompileTask::runTask (this=0x7ffff4c7bc70)
    at js/src/jit/IonCompileTask.cpp:52
#13 js::jit::IonCompileTask::runHelperThreadTask (this=0x7ffff4c7bc70, locked=...)
    at js/src/jit/IonCompileTask.cpp:30
#14 0x0000555557189b73 in js::GlobalHelperThreadState::runTaskLocked (this=0x7ffff740f000, locked=..., task=<optimized out>)
    at js/src/vm/HelperThreads.cpp:2777
Component: Untriaged → JavaScript Engine: JIT
Product: Firefox → Core
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Blocks: sm-opt-jits
No longer blocks: sm-runtime
Severity: -- → S4
Priority: -- → P1
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/774ca4bf79e2
Ensure ballast for MDebug{Enter,Leave}GCUnsafeRegion. r=jandem
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Duplicate of this bug: 1812558
You need to log in before you can comment on or make changes to this bug.