Closed
Bug 1329129
Opened 8 years ago
Closed 8 years ago
Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1329665
Tracking | Status | |
---|---|---|
firefox53 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision a14094edbad7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-aa=flow-sensitive --ion-limit-script-size=off): See attachment. Backtrace: 0 js-dbg-64-dm-clang-darwin-a14094edbad7 0x000000010ff33109 js::LifoAlloc::getOrCreateChunk(unsigned long) + 345 (LifoAlloc.cpp:105) 1 js-dbg-64-dm-clang-darwin-a14094edbad7 0x00000001102867f7 js::LifoAlloc::allocImpl(unsigned long) + 103 (LifoAlloc.h:225) 2 js-dbg-64-dm-clang-darwin-a14094edbad7 0x000000010ff8ee32 js::jit::TempObject::operator new(unsigned long, js::jit::TempAllocator&) + 130 (LifoAlloc.h:291) 3 js-dbg-64-dm-clang-darwin-a14094edbad7 0x000000010fccc6c7 js::jit::FlowAliasAnalysis::saveStoreDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&) + 39 (FlowAliasAnalysis.cpp:818) 4 js-dbg-64-dm-clang-darwin-a14094edbad7 0x000000010fccbeb4 js::jit::FlowAliasAnalysis::processStore(mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, js::jit::MDefinition*) + 36 (FlowAliasAnalysis.cpp:518) /snip For detailed crash information, see attachment.
![]() |
Reporter | |
Comment 1•8 years ago
|
||
![]() |
Reporter | |
Comment 2•8 years ago
|
||
![]() |
Reporter | |
Comment 3•8 years ago
|
||
=== Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20161030110521" and the hash "708de5d681d113649e8fac2a10a4a0c0eae8be43". The "bad" changeset has the timestamp "20161030133821" and the hash "8fae1fb3e02eef78e34aeafb662cbc54496521e1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=708de5d681d113649e8fac2a10a4a0c0eae8be43&tochange=8fae1fb3e02eef78e34aeafb662cbc54496521e1 Arai-san, is bug 1185106 a likely regressor? Also setting needinfo? from Hannes since this involves --ion-aa=flow-sensitive - and setting [fuzzblocker] because it seems to be happening quite frequently.
Comment 4•8 years ago
|
||
since the testcase only contains normal function declaration, Part 0.1 there could be related. https://hg.mozilla.org/integration/mozilla-inbound/rev/bc85cad3e93b will investigate later today.
Comment 5•8 years ago
|
||
confirmed it's starting from bc85cad3e93b
Comment 6•8 years ago
|
||
I don't see anything directly related to the allocation/analysis code in the changeset, except the change in bytecode that may change the allocation amount. I'd forward the ni? to h4writer.
Flags: needinfo?(arai.unmht)
Updated•8 years ago
|
Flags: needinfo?(hv1989)
Priority: -- → P1
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•