Closed
Bug 1180054
Opened 10 years ago
Closed 10 years ago
Assertion failure: expectedFrameSize + JitStackAlignment > frameSize (The frame size is optimal), at js/src/jit/JitFrames.cpp:3308
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: decoder, Assigned: efaust)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
1.51 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d7c148c84594 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2):
function entryFrame_1(d) {
assertJitStackInvariants();
}
for (i = 0Xa; i < 40; i++) {
new entryFrame_1();
}
Backtrace:
Program terminated with signal 11, Segmentation fault.
#0 js::jit::AssertJitStackInvariants (cx=<optimized out>)
at js/src/jit/JitFrames.cpp:3307
To enable execution of this file add
add-auto-load-safe-path /srv/repos/mozilla-central/js/src/opt64/dist/bin/js-gdb.py
line to your configuration file "/home/choller/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/choller/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
#0 js::jit::AssertJitStackInvariants (cx=<optimized out>) at js/src/jit/JitFrames.cpp:3307
#1 0x00000000004a0c39 in TestingFunc_assertJitStackInvariants (cx=<optimized out>, argc=<optimized out>, vp=0x7fff85dac918) at js/src/builtin/TestingFunctions.cpp:1489
#2 0x00007fb7a04fa44d in ?? ()
#3 0x00007fb7a267d120 in ?? ()
#4 0x00007fff85dac8f0 in ?? ()
#5 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fb7a2b49828 140426685487144
rcx 0x7fb7a2876f4d 140426682527565
rdx 0x0 0
rsi 0x7fb7a2b4aa80 140426685491840
rdi 0x7fb7a2b49180 140426685485440
rbp 0x7fff85dac860 140735439095904
rsp 0x7fff85dac850 140735439095888
r8 0x7fb7a3bdd740 140426702870336
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x74694a2f74696a2f 8388317348631243311
r11 0x0 0
r12 0x7fff85dac9a0 140735439096224
r13 0x0 0
r14 0x68 104
r15 0x7fff85dac850 140735439095888
rip 0x764013 <js::jit::AssertJitStackInvariants(JSContext*)+483>
=> 0x764013 <js::jit::AssertJitStackInvariants(JSContext*)+483>: movl $0xcec,0x0
0x76401e <js::jit::AssertJitStackInvariants(JSContext*)+494>: callq 0x449f10 <abort()>
This is probably a shell-only debug function failure.
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150603171146" and the hash "faafd199bf97".
The "bad" changeset has the timestamp "20150603172045" and the hash "d22779079708".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=faafd199bf97&tochange=d22779079708
|
Assignee | |
Comment 3•10 years ago
|
||
Bogus assert. Updated to take new.target into account.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Flags: needinfo?(efaustbmo)
Attachment #8637537 -
Flags: review?(jdemooij)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8637537 [details] [diff] [review]
Fix
Review of attachment 8637537 [details] [diff] [review]:
-----------------------------------------------------------------
Yay fuzzers
Attachment #8637537 -
Flags: review?(jdemooij) → review+
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox43:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•