Closed
Bug 1240803
Opened 9 years ago
Closed 9 years ago
Assertion failure: !Debugger::inFrameMaps(f), at js/src/jit/RematerializedFrame.cpp:109 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
Tracking | Status | |
---|---|---|
firefox46 | --- | fixed |
People
(Reporter: decoder, Assigned: shu)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
3.01 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a77b73c7723e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager --ion-offthread-compile=off):
(function() {
g = newGlobal()
dbg = new Debugger
g.toggle = function(d) {
if (d) {
dbg.addDebuggee(g);
dbg.getNewestFrame();
oomAfterAllocations(2);
setBreakpoint;
}
}
g.eval("" + function f(d) toggle(d))
g.eval("(" + function() {
f(false);
f(true);
} + ")()")
})();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000790138 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109
#0 0x0000000000790138 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109
#1 0x0000000000b134e1 in js::jit::JitActivation::clearRematerializedFrames (this=this@entry=0x7fffffff98a0) at js/src/vm/Stack.cpp:1561
#2 0x0000000000b15487 in js::jit::JitActivation::~JitActivation (this=0x7fffffff98a0, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1485
#3 0x00000000006b8852 in EnterIon (data=..., cx=0x7ffff6907800) at js/src/jit/Ion.cpp:2718
#4 js::jit::IonCannon (cx=cx@entry=0x7ffff6907800, state=...) at js/src/jit/Ion.cpp:2816
#5 0x0000000000a4b73b in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:408
#6 0x0000000000a4b97c in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:499
#7 0x0000000000a4d339 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffa248, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533
#8 0x00000000006017de in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffa288, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffa238, res=...) at js/src/jit/BaselineIC.cpp:6186
#9 0x00007ffff7ff1a1f in ?? ()
[...]
#31 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff6922d60 140737330163040
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff9680 140737488328320
rsp 0x7fffffff9660 140737488328288
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9420 140737488327712
r11 0x7ffff6c27960 140737333328224
r12 0x0 0
r13 0x7ffff69ae8c8 140737330735304
r14 0x7fffffff9780 140737488328576
r15 0x7ffff6907800 140737330051072
rip 0x790138 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+312>
=> 0x790138 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+312>: movl $0x6d,0x0
0x790143 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+323>: callq 0x4a2e10 <abort()>
Comment 1•9 years ago
|
||
JIT + OOM + CCW + Debugger. Fuzzers are mean. Shu, can you take a look?
Flags: needinfo?(shu)
Assignee | ||
Comment 2•9 years ago
|
||
Attachment #8709801 -
Flags: review?(jimb)
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(shu)
Updated•9 years ago
|
Assignee: nobody → shu
Comment 3•9 years ago
|
||
Comment on attachment 8709801 [details] [diff] [review]
Handle OOM in replaceFrameGuts.
Review of attachment 8709801 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/vm/Debugger.cpp
@@ +5419,5 @@
> + }
> +
> + // Rekey missingScopes to maintain Debugger.Environment identity and
> + // forward liveScopes to point to the new frame.
> + // gone.
Looks like the copy-paste of this comment went awry.
Attachment #8709801 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 4•9 years ago
|
||
(In reply to Jim Blandy :jimb from comment #3)
> Comment on attachment 8709801 [details] [diff] [review]
> Handle OOM in replaceFrameGuts.
>
> Review of attachment 8709801 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> ::: js/src/vm/Debugger.cpp
> @@ +5419,5 @@
> > + }
> > +
> > + // Rekey missingScopes to maintain Debugger.Environment identity and
> > + // forward liveScopes to point to the new frame.
> > + // gone.
>
> Looks like the copy-paste of this comment went awry.
Oops, thanks eagle eye!
Comment 6•9 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•