Closed Bug 1770904 Opened 3 years ago Closed 2 years ago

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at ds/LifoAlloc.cpp:173

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox103 --- fixed

People

(Reporter: ben+mozilla, Assigned: iain)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1770904: Ensure ballast in scalar replacement r=nbp
(deleted), text/x-phabricator-request
Details

This assertion happens every time for me on a debug build of Firefox 102.0a1 (2022-05-20) run with ./mach run http://gumtree.com.au/

Assertion failure: fallibleScope_ ([OOM] Cannot allocate a new chunk in an infallible scope.), at ds/LifoAlloc.cpp:173
#01: js::LifoAlloc::newChunkWithCapacity(unsigned long, bool)
#02: js::LifoAlloc::getOrCreateChunk(unsigned long)
#03: js::LifoAlloc::allocImplColdPath(unsigned long)
#04: js::LifoAlloc::allocInfallible(unsigned long)
#05: js::jit::ArgumentsReplacer::visitLoadArgumentsObjectArg(js::jit::MLoadArgumentsObjectArg*)
#06: js::jit::ArgumentsReplacer::run()
#07: js::jit::ScalarReplacement(js::jit::MIRGenerator*, js::jit::MIRGraph&)
#08: js::jit::OptimizeMIR(js::jit::MIRGenerator*)
#09: js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*)
#10: js::jit::IonCompileTask::runTask()
#11: js::jit::IonCompileTask::runHelperThreadTask(js::AutoLockHelperThreadState&)
#12: js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&)
#13: js::GlobalHelperThreadState::runOneTask(js::AutoLockHelperThreadState&)
#14: JS::RunHelperThreadTask()
#15: HelperThreadTaskHandler::Run()
#16: mozilla::TaskController::RunPoolThread()
#17: _pt_root
#18: _pthread_start

Also happens on a debug build of Firefox 91.4.0 ESR. Haven't tried later 91.x.

Also happens with these sites:
http://marktplaats.nl/
http://2ememain.be/
https://www.2dehands.be/

These all share a common JS file duplicated by each site e.g. https://www.gumtree.com.au/c3650cdf-216a-4ba2-80b0-9d6c540b105e58d2670b-ea0f-484e-b88c-0e2c1499ec9bd71e4b42-8570-44e3-89b6-845326fa43b6

I can reproduce the assertion by wrapping this in a <script> element and loading as a local file.

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine: JIT
Product: Firefox → Core

Shell test case:

var N = 100;
var f = Function("return 0" + "+arguments[0]".repeat(N));

for (let i = 0; i < 10000; ++i) {
  assertEq(f(1), N);
}
Status: UNCONFIRMED → NEW
Ever confirmed: true

This assertion only happen in debug builds, and is used to ensure that we are properly checking returned values.
Iain, I presume this should be an easy fix making use of ensureBallast.

Blocks: sm-security, sm-opt-jits
Severity: -- → S4
Priority: -- → P3
Assignee: nobody → iireland
Status: NEW → ASSIGNED
Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/882008647ea4 Ensure ballast in scalar replacement r=nbp

https://hg.mozilla.org/mozilla-central/rev/882008647ea4

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: