The following testcase crashes on mozilla-central revision 55261bc2e465 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-eager):
for(let i = 0; i < 4; i++) {
oomAtAllocation(11, 11);
evalInWorker("");
}
Backtrace:
#0 js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0x7fab25dfdf48) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-55261bc2e465/objdir-js/dist/include/js/Utility.h:317
#1 0x0000557355d77157 in JS::Zone::getUniqueIdInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:102
#2 JS::Zone::getHashCodeInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:97
#3 0x00005573559e5abd in js::MovableCellHasher<js::TaggedProto>::hash (l=...) at js/src/vm/TaggedProto.h:82
#4 js::InitialShapeEntry::hash (lookup=...) at js/src/vm/Shape.h:1547
/snip
For detailed crash information, see attachment.
Bug 1539019 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The following testcase crashes on mozilla-central revision 55261bc2e465 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
for(let i = 0; i < 4; i++) {
oomAtAllocation(11, 11);
evalInWorker("");
}
Backtrace:
#0 js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0x7fab25dfdf48) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-55261bc2e465/objdir-js/dist/include/js/Utility.h:317
#1 0x0000557355d77157 in JS::Zone::getUniqueIdInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:102
#2 JS::Zone::getHashCodeInfallible (this=0x7fab26724000, cell=0x29260f208040) at js/src/gc/Zone-inl.h:97
#3 0x00005573559e5abd in js::MovableCellHasher<js::TaggedProto>::hash (l=...) at js/src/vm/TaggedProto.h:82
#4 js::InitialShapeEntry::hash (lookup=...) at js/src/vm/Shape.h:1547
/snip
For detailed crash information, see attachment.