Closed
Bug 1245862
Opened 8 years ago
Closed 8 years ago
Assertion failure: !Debugger::inFrameMaps(f), at js/src/jit/RematerializedFrame.cpp:109 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.79 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f2f8fc172f4c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-eager --ion-check-range-analysis --ion-offthread-compile=off):
var g = newGlobal();
var dbg = new Debugger;
g.h = function h(d) {
if (d) {
dbg.addDebuggee(g);
var f = dbg.getNewestFrame().older;
f.st_p1((oomAfterAllocations(10)) + "foo = 'string of 42'");
}
}
g.eval("" + function f(d) {
g(d);
});
g.eval("" + function g(d) {
h(d);
});
g.eval("(" + function () {
for (i = 0; i < 5; i++)
f(false);
assertEq(f(true), "string of 42");
} + ")();");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x083fdc30 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109
#0 0x083fdc30 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109
#1 0x0878c89b in js::jit::JitActivation::clearRematerializedFrames (this=this@entry=0xffffa3b0) at js/src/vm/Stack.cpp:1533
#2 0x0878fe22 in js::jit::JitActivation::~JitActivation (this=0xffffa3b0, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1457
#3 0x082ea26f in EnterIon (data=..., cx=0xf7a7b020) at js/src/jit/Ion.cpp:2802
#4 js::jit::IonCannon (cx=cx@entry=0xf7a7b020, state=...) at js/src/jit/Ion.cpp:2903
#5 0x0871b0b0 in js::RunScript (cx=cx@entry=0xf7a7b020, state=...) at js/src/vm/Interpreter.cpp:405
#6 0x0871b2ce in js::Invoke (cx=0xf7a7b020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:493
#7 0x0871bc9e in js::Invoke (cx=0xf7a7b020, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xffffa9e8, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:527
#8 0x082641ce in js::jit::DoCallFallback (cx=0xf7a7b020, frame=0xffffaa28, stub_=0xf7a9c270, argc=1, vp=0xffffa9d8, res=...) at js/src/jit/BaselineIC.cpp:6136
#9 0xf7fcee2e in ?? ()
#10 0xf7a9c270 in ?? ()
#11 0xf7fc8ae3 in ?? ()
eax 0x0 0
ebx 0x9857490 159741072
ecx 0xf7e3b88c -136071028
edx 0x0 0
esi 0xf57fec80 -176165760
edi 0xf7a4a830 -140203984
ebp 0xffffa1c8 4294943176
esp 0xffffa1a0 4294943136
eip 0x83fdc30 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0u, js::TempAllocPolicy>&)+288>
=> 0x83fdc30 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0u, js::TempAllocPolicy>&)+288>: movl $0x6d,0x0
0x83fdc3a <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0u, js::TempAllocPolicy>&)+298>: call 0x80ff950 <abort()>
|
||
Updated•8 years ago
|
Flags: needinfo?(shu)
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 166.799 seconds to run.
|
||
Comment 2•8 years ago
|
||
Attachment #8716122 -
Flags: review?(jdemooij)
|
|
||
Comment 3•8 years ago
|
||
Fuzzers having a field day with these new OOM testing functions.
Flags: needinfo?(shu)
|
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8716122 [details] [diff] [review] Handle OOM when bailing Ion->Baseline with >1 rematerialized frames. Review of attachment 8716122 [details] [diff] [review]: ----------------------------------------------------------------- Good find.
Attachment #8716122 -
Flags: review?(jdemooij) → review+
|
||
Comment 7•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/7498837e2150 https://hg.mozilla.org/mozilla-central/rev/1a7d89d6f69c
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•