Closed Bug 1212094 Opened 9 years ago Closed 8 years ago

Crash [@ SetGCCallback] with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1280588

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:ignore][js-oom2015])

Crash Data

The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks):

if (!(oomAfterAllocations(10)))
    quit();
setGCCallback({
    action: "majorGC",
});


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  SetGCCallback (cx=0xf7177020, argc=1, vp=0xf51b4140) at js/src/builtin/TestingFunctions.cpp:2736
#1  0x0837168a in js::CallJSNative (cx=0xf7177020, native=0x8261420 <SetGCCallback(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x08366cbf in js::Invoke (cx=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:768
#3  0x0835804c in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:3072
#4  0x08366351 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:709
#5  0x08366d96 in js::Invoke (cx=cx@entry=0xf7177020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:786
#6  0x0836794e in js::Invoke (cx=cx@entry=0xf7177020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffb55770, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:823
#7  0x0853bf1f in js::jit::DoCallFallback (cx=0xf7177020, frame=0xffb557a0, stub_=0xf71a3550, argc=1, vp=0xffb55760, res=...) at js/src/jit/BaselineIC.cpp:8905
#8  0xf73d7ffe in ?? ()
#9  0xf71a3550 in ?? ()
#10 0xf73de38a in ?? ()
#11 0xf711e2c8 in ?? ()
#12 0xf73d3c5c in ?? ()
#13 0x084e9785 in EnterBaseline (cx=0xf71a3550, cx@entry=0xf7177020, data=...) at js/src/jit/BaselineJIT.cpp:126
#14 0x08532381 in js::jit::EnterBaselineAtBranch (cx=0xf7177020, fp=0xf51b4028, pc=0xf71399c1 "\343\201C\b\377\377\377Z\231\230&\210\004\235)\210\bʘ5\210\t\230\001\220א\210\004\226\210\004\226\210\004\226\210\004\225\210\bʐ\210\bʐ\210\bϘ\002\234\v\210\003\230\016Ј\026\220Ј\027\220Ј \220Ј\027\220Ј?\220Ј\024\220Ј\030\230\027Ј,\230\031\210\004\314\b\225\210\002Έ\020\230&\210\004͈\020\230((\200") at js/src/jit/BaselineJIT.cpp:229
#15 0x083632c9 in Interpret (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:2120
#16 0x08366351 in js::RunScript (cx=cx@entry=0xf7177020, state=...) at js/src/vm/Interpreter.cpp:709
#17 0x0836c545 in js::ExecuteKernel (cx=cx@entry=0xf7177020, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983
#18 0x0836c8af in js::Execute (cx=cx@entry=0xf7177020, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018
#19 0x087fc62a in ExecuteScript (cx=cx@entry=0xf7177020, scope=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4453
#20 0x087fc766 in JS_ExecuteScript (cx=cx@entry=0xf7177020, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4484
#21 0x0806b620 in RunFile (compileOnly=false, file=0xf71e99e0, filename=0xffb57ae4 "driver.js", cx=0xf7177020) at js/src/shell/js.cpp:468
#22 Process (cx=cx@entry=0xf7177020, filename=0xffb57ae4 "driver.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586
#23 0x080d0231 in ProcessArgs (op=0xffb564d0, cx=0xf7177020) at js/src/shell/js.cpp:5901
#24 Shell (envp=<optimized out>, op=0xffb564d0, cx=0xf7177020) at js/src/shell/js.cpp:6223
#25 main (argc=6, argv=0xffb56624, envp=0xffb56640) at js/src/shell/js.cpp:6579
eax	0x0	0
ebx	0x97a3434	159003700
ecx	0x3	3
edx	0x1	1
esi	0x1	1
edi	0x97e2868	159262824
ebp	0xffb54d78	4290071928
esp	0xffb54cd0	4290071760
eip	0x826194b <SetGCCallback(JSContext*, unsigned int, JS::Value*)+1323>
=> 0x826194b <SetGCCallback(JSContext*, unsigned int, JS::Value*)+1323>:	mov    %esi,(%eax)
   0x826194d <SetGCCallback(JSContext*, unsigned int, JS::Value*)+1325>:	mov    %ecx,0x4(%eax)
Jon, perhaps this has been fixed by bug 1280588?
Flags: needinfo?(jcoppeard)
Yes that looks like the same issue.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.