Closed Bug 1329651 Opened 8 years ago Closed 8 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at js/src/ds/LifoAlloc.cpp:105

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: decoder, Assigned: h4writer)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Patch
(deleted), patch
nbp
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 701868bfddcb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --baseline-eager --ion-aa=flow-sensitive):

try {
    evaluate(` 
      function TestCase(n, a) {
        value = value.replace(/n/, 'NL').replace(/n/, 'NL').replace(r/g).replace
        return value;
      }
      setJitCompilerOption("ion.warmup.trigger", 2);
      TestCase();
    `)
} catch (exc) {}
function newFunc(x) Function(x)();
newFunc(`
var SECTION;
new TestCase( SECTIONNumberNaN + "" );
new TestCase;
new TestCase;
TestCase( NEGATIVE_INFINITY + "" );
new TestCase;
TestCase( + "");
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase + new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
new TestCase;
`);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#0  js::LifoAlloc::getOrCreateChunk (this=this@entry=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.cpp:105
#1  0x00000000005f6d03 in js::LifoAlloc::allocImpl (n=120, this=0x7ffff3332180) at js/src/ds/LifoAlloc.h:225
#2  js::LifoAlloc::allocInfallible (this=0x7ffff3332180, n=n@entry=120) at js/src/ds/LifoAlloc.h:291
#3  0x00000000007084f0 in js::jit::TempAllocator::allocateInfallible (bytes=120, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:44
#4  js::jit::TempObject::operator new (alloc=..., nbytes=120) at js/src/jit/JitAllocPolicy.h:162
#5  js::jit::MInstruction::operator new (alloc=..., nbytes=120) at js/src/jit/MIR.h:1123
#6  js::jit::MConstant::New (constraints=0x0, v=..., alloc=...) at js/src/jit/MIR.cpp:806
#7  js::jit::MBasicBlock::optimizedOutConstant (this=0x7ffff69cd020, alloc=...) at js/src/jit/MIRGraph.cpp:919
#8  0x00000000005fc5cd in EliminateTriviallyDeadResumePointOperands (graph=..., rp=0x7ffff69cd3c0) at js/src/jit/IonAnalysis.cpp:977
#9  0x0000000000619093 in EliminateTriviallyDeadResumePointOperands (rp=<optimized out>, graph=...) at js/src/jit/IonAnalysis.cpp:967
#10 js::jit::EliminateDeadResumePointOperands (mir=mir@entry=0x7ffff69b0278, graph=...) at js/src/jit/IonAnalysis.cpp:1005
#11 0x000000000065a780 in js::jit::EliminateDeadResumePointOperands (graph=..., mir=0x7ffff69b0278) at js/src/jit/FlowAliasAnalysis.h:24
#12 js::jit::OptimizeMIR (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:1713
#13 0x000000000065b9d6 in js::jit::CompileBackEnd (mir=mir@entry=0x7ffff69b0278) at js/src/jit/Ion.cpp:2067
#14 0x000000000065c55b in js::jit::IonCompile (cx=cx@entry=0x7ffff695f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffb6a8, osrPc=<optimized out>, recompile=<optimized out>, optimizationLevel=optimizationLevel@entry=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2351
#15 0x000000000065ccb2 in js::jit::Compile (cx=cx@entry=0x7ffff695f000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffb6a8, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2533
#16 0x000000000065d5c2 in BaselineCanEnterAtEntry (frame=0x7fffffffb6a8, script=..., cx=0x7ffff695f000) at js/src/jit/Ion.cpp:2662
#17 js::jit::IonCompileScriptForBaseline (cx=0x7ffff695f000, frame=0x7fffffffb6a8, pc=<optimized out>) at js/src/jit/Ion.cpp:2785
#18 0x00007ffff7e45cd0 in ?? ()
[...]
#40 0x0000000000000000 in ?? ()
rax	0x204e520	33875232
rbx	0x1217988	18971016
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffad30	140737488334128
rsp	0x7fffffffac70	140737488333936
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff3531fe8	140737275699176
r13	0x7ffff3332180	140737273602432
r14	0x78	120
r15	0x0	0
rip	0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944>
=> 0x825030 <js::LifoAlloc::getOrCreateChunk(unsigned long)+944>:	movl   $0x0,0x0
   0x82503b <js::LifoAlloc::getOrCreateChunk(unsigned long)+955>:	ud2
Flags: needinfo?(nicolas.b.pierron)
Version: Trunk → 53 Branch
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Error: Unsupported branch "53 Branch" required by bug
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
JSBugMon: Bisection requested, failed due to error: Error: Unsupported branch "53 Branch" required by bug
Attached patch Patch (deleted) — Splinter Review 

  

  


Assignee: nobody → hv1989

        Attachment #8830246 -
        Flags: review?(nicolas.b.pierron)

    
  
Priority: -- → P1

        Attachment #8830246 -
        Flags: review?(nicolas.b.pierron) → review+

    
    

    
  
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/98e7a11da7c8
IonMonkey - Ensure ballast in EliminateDeadResumePointOperands, r=nbp

  

  



    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/98e7a11da7c8

  

  


Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox54:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

    
    

    
  
AFAICT, this is an old bug. Please request Aurora/Beta approval on this when you get a chance.

  

  



          status-firefox52:
          --- → affected
Flags: needinfo?(nicolas.b.pierron) → needinfo?(hv1989)
Whiteboard: [jsbugmon:] → [jsbugmon:update,bisect]
Version: 53 Branch → Trunk

    
    

    
  
IMHO not important to backport and testcase will be fragile.

  

  


Flags: needinfo?(hv1989)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: