Closed
Bug 1209943
Opened 9 years ago
Closed 9 years ago
Assertion failure: !hasUncompiledScript(), at js/src/shell/../jsfun.h:422 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1200642
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision 891ee0d0ba3e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
this.__proto__ = [];
function oomTest(f) {
var i = 1;
do {
try {
oomAtAllocation(i);
f();
} catch (e) {
more = resetOOMFailure();
}
i++;
} while(more);
}
loadFile(`
oomTest(() => getBacktrace({ args: true, locals: true }));
`);
function loadFile(lfVarx) {
var lfGlobal = newGlobal();
for (lfLocal in this) {
if (!(lfLocal in lfGlobal)) {
lfGlobal[lfLocal] = this[lfLocal];
}
}
lfGlobal.offThreadCompileScript(lfVarx);
lfGlobal.runOffThreadScript();
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0806a5a8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:422
#0 0x0806a5a8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:422
#1 0x080eb1f5 in nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:422
#2 JSFunction::getOrCreateScript (this=0xf594e1c0, cx=0xf7a7b020) at js/src/shell/../jsfun.h:385
#3 0x08365467 in js::Invoke (cx=cx@entry=0xf7a7b020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:771
#4 0x083660ce in js::Invoke (cx=cx@entry=0xf7a7b020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:823
#5 0x087c867d in MaybeCallMethod (cx=cx@entry=0xf7a7b020, obj=obj@entry=..., id=id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:2892
#6 0x087d4dcb in JS::OrdinaryToPrimitive (cx=0xf7a7b020, obj=..., hint=JSTYPE_STRING, vp=...) at js/src/jsobj.cpp:2915
#7 0x087d5145 in js::ToPrimitive (cx=0xf7a7b020, obj=obj@entry=..., hint=hint@entry=JSTYPE_STRING, vp=vp@entry=...) at js/src/jsobj.cpp:2766
#8 0x0888ec57 in ToPrimitive (vp=..., preferredType=JSTYPE_STRING, cx=0xf7a7b020) at js/src/jsobjinlines.h:612
#9 js::ToStringSlow<(js::AllowGC)1> (cx=0xf7a7b020, arg=...) at js/src/jsstr.cpp:4258
#10 0x0878fce4 in js::ToString<(js::AllowGC)1> (cx=<optimized out>, v=...) at js/src/jsstr.h:156
#11 0x087fcf3e in FormatFrame (showThisProps=<optimized out>, showLocals=<optimized out>, showArgs=<optimized out>, num=<optimized out>, buf=<optimized out>, iter=..., cx=<optimized out>) at js/src/jsfriendapi.cpp:820
#12 JS::FormatStackDump (cx=cx@entry=0xf7a7b020, buf=<optimized out>, buf@entry=0x0, showArgs=showArgs@entry=true, showLocals=true, showThisProps=false) at js/src/jsfriendapi.cpp:907
#13 0x0825c7d9 in GetBacktrace (cx=0xf7a7b020, argc=1, vp=0xffff98b0) at js/src/builtin/TestingFunctions.cpp:2058
#14 0xf7fd51c6 in ?? ()
#15 0xf7a23d30 in ?? ()
#16 0xf7fc8c5c in ?? ()
#17 0x084d6e35 in EnterBaseline (cx=0xf7a23d30, cx@entry=0xf7a7b020, data=...) at js/src/jit/BaselineJIT.cpp:126
#18 0x084e5145 in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a7b020, state=...) at js/src/jit/BaselineJIT.cpp:157
#19 0x08364e78 in js::RunScript (cx=cx@entry=0xf7a7b020, state=...) at js/src/vm/Interpreter.cpp:699
#20 0x08365516 in js::Invoke (cx=cx@entry=0xf7a7b020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#21 0x083660ce in js::Invoke (cx=cx@entry=0xf7a7b020, thisv=..., fval=..., argc=0, argv=0xffffa1f0, rval=...) at js/src/vm/Interpreter.cpp:823
#22 0x0884f082 in js::DirectProxyHandler::call (this=this@entry=0x97d153c <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0xf7a7b020, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#23 0x08855685 in js::CrossCompartmentWrapper::call (this=0x97d153c <js::CrossCompartmentWrapper::singleton>, cx=0xf7a7b020, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#24 0x08865b5a in js::Proxy::call (cx=cx@entry=0xf7a7b020, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#25 0x08865bfa in js::proxy_Call (cx=0xf7a7b020, argc=0, vp=0xffffa1e0) at js/src/proxy/Proxy.cpp:724
#26 0x083700ea in js::CallJSNative (cx=0xf7a7b020, native=0x8865b80 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#78 main (argc=5, argv=0xffffce24, envp=0xffffce3c) at js/src/shell/js.cpp:6574
eax 0x0 0
ebx 0x9799434 158962740
ecx 0xf7e3b88c -136071028
edx 0x0 0
esi 0xffff91f0 -28176
edi 0xf7a7b020 -140005344
ebp 0xffff9078 4294938744
esp 0xffff9060 4294938720
eip 0x806a5a8 <JSFunction::nonLazyScript() const+42>
=> 0x806a5a8 <JSFunction::nonLazyScript() const+42>: movl $0x1a6,0x0
0x806a5b2 <JSFunction::nonLazyScript() const+52>: call 0x80f1370 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "bad" changeset has the timestamp "20150930014108" and the hash "143a6814b1d52d107caf4238ee81e60ec2a40fd9". The "good" changeset has the timestamp "20150930033608" and the hash "2e82f6299d4a1084418f295c737be821b6074cdb". Likely fix window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=143a6814b1d52d107caf4238ee81e60ec2a40fd9&tochange=2e82f6299d4a1084418f295c737be821b6074cdb
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 2•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f2f8cb92dce4).
|
||
Comment 3•9 years ago
|
||
No longer reproduces.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•