Closed Bug 1329129 Opened 8 years ago Closed 8 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1329665
Tracking Flags:
Tracking Status
firefox53 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:])

Attachments

(2 files)

Detailed Crash Information
(deleted), text/plain
Details
Testcase
(deleted), text/plain
Details 
The following testcase crashes on mozilla-central revision a14094edbad7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --ion-aa=flow-sensitive --ion-limit-script-size=off):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-a14094edbad7	0x000000010ff33109 js::LifoAlloc::getOrCreateChunk(unsigned long) + 345 (LifoAlloc.cpp:105)
1   js-dbg-64-dm-clang-darwin-a14094edbad7	0x00000001102867f7 js::LifoAlloc::allocImpl(unsigned long) + 103 (LifoAlloc.h:225)
2   js-dbg-64-dm-clang-darwin-a14094edbad7	0x000000010ff8ee32 js::jit::TempObject::operator new(unsigned long, js::jit::TempAllocator&) + 130 (LifoAlloc.h:291)
3   js-dbg-64-dm-clang-darwin-a14094edbad7	0x000000010fccc6c7 js::jit::FlowAliasAnalysis::saveStoreDependency(js::jit::MDefinition*, mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&) + 39 (FlowAliasAnalysis.cpp:818)
4   js-dbg-64-dm-clang-darwin-a14094edbad7	0x000000010fccbeb4 js::jit::FlowAliasAnalysis::processStore(mozilla::Vector<js::jit::MDefinition*, 6ul, js::jit::JitAllocPolicy>&, js::jit::MDefinition*) + 36 (FlowAliasAnalysis.cpp:518)
/snip

For detailed crash information, see attachment.
Attached file Testcase (deleted) — 

    
    

    
  
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161030110521" and the hash "708de5d681d113649e8fac2a10a4a0c0eae8be43".
The "bad" changeset has the timestamp "20161030133821" and the hash "8fae1fb3e02eef78e34aeafb662cbc54496521e1".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=708de5d681d113649e8fac2a10a4a0c0eae8be43&tochange=8fae1fb3e02eef78e34aeafb662cbc54496521e1

Arai-san, is bug 1185106 a likely regressor? Also setting needinfo? from Hannes since this involves --ion-aa=flow-sensitive - and setting [fuzzblocker] because it seems to be happening quite frequently.
Blocks: 1185106
Flags: needinfo?(hv1989)
Flags: needinfo?(arai.unmht)

    
    

    
  
since the testcase only contains normal function declaration, Part 0.1 there could be related.
  https://hg.mozilla.org/integration/mozilla-inbound/rev/bc85cad3e93b
will investigate later today.

    
    

    
  
confirmed it's starting from bc85cad3e93b

    
    

    
  
I don't see anything directly related to the allocation/analysis code in the changeset, except the change in bytecode that may change the allocation amount.
I'd forward the ni? to h4writer.
Flags: needinfo?(arai.unmht)
Flags: needinfo?(hv1989)
Priority: -- → P1
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: