756612 - IonMonkey: OOM Testing: Crash [@ js::ion::CodeGeneratorX86Shared::visitOutOfLineBailout]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following command crashes on ionmonkey revision 8c54899dae82 (dbg build):

js  -e 'const libdir = "js/src/jit-test/lib/";' -A 9445 -f js/src/jit-test/tests/debug/Object-parameterNames.js

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

IonMonkey relies on infallible allocations for small objects, and we ensure this with a ballast that has remained unimplemented. This patch implements it with some LifoAlloc trickery.

Comment 2

[Luke Wagner [:luke]]

Comment on attachment 625303 [details] [diff] [review]
fix

Review of attachment 625303 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ds/LifoAlloc.h
@@ +241,5 @@
>  
> +    // Ensures that enough space exists to satisfy N bytes worth of
> +    // allocation requests, not necessarily contiguous.
> +    JS_ALWAYS_INLINE
> +    bool ensureUnused(size_t n) {

iiuc, this isn't strictly true for the fast-path algorithm below since, if a chunk reports k bytes of unused space and an allocation is made for >k bytes, that chunk's unused space can't be used.  However, this doesn't really matter for the purpose of the ballast since n only has to be approximate.  So my only request is to rename this to ensureUnusedApproximate and update the comment accordingly.

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: follow-up

Quick follow-up patch to make it so OOM testing can't inject OOMs into our infallible allocations.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

Whoa, fast reviews! http://hg.mozilla.org/projects/ionmonkey/rev/88ea2e529609

Christian, would you mind having the OOM tester re-test all the bugs it filed today? I ran through them and could not reproduce them after implementing the ballast.