Closed Bug 1282383 Opened 8 years ago Closed 8 years ago

Assertion failure: hasPayload(), at js/src/vm/TraceLogging.h:111

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1282743
Tracking Flags:
Tracking Status
firefox50 --- affected

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
33.20 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev c2da34d96746
3.88 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision c2da34d96746 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/tracelogger/bug1266649.js
var du = new Debugger();
du.setupTraceLogger({
    Scripts: true
})
// Adapted from randomly chosen test: js/src/jit-test/tests/profiler/bug1231925.js
oomTest(function() {
    eval("(function() {})()")
});


Backtrace:

0   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010ed567c6 js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) + 5094 (TraceLogging.h:111)
1   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010ee01e66 LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) + 278 (Ion.cpp:515)
2   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010eda326d js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 4413 (Ion.cpp:2273)
3   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010eda1d7a js::jit::CanEnter(JSContext*, js::RunState&) + 394 (Ion.cpp:2524)
4   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010f2d2068 js::RunScript(JSContext*, js::RunState&) + 392 (Interpreter.cpp:375)
5   js-dbg-64-dm-clang-darwin-c2da34d96746	0x000000010f2e3d8d js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 605 (Interpreter.cpp:470)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7a942a270777
user:        Hannes Verschore
date:        Tue Jun 21 13:52:11 2016 +0200
summary:     Bug 1280648 - Tracelogger: Don't cache based on pointers to movable gc things, r=bbouvier

Hannes, is bug 1280648 a likely regressor?
Blocks: 1280648
Flags: needinfo?(hv1989)
The patch in bug 1282743 also solves this.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: