Closed
Bug 1254578
Opened 8 years ago
Closed 8 years ago
Assertion failure: isRematerializedFrame(), at js/src/vm/Stack.h:184 with Debugger and OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.36 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 20d8879ac256 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --ion-eager min.js): var g = newGlobal(); g.debuggeeGlobal = this; g.eval("(" + function() { dbg = new Debugger(debuggeeGlobal); dbg.onExceptionUnwind = function(frame, exc) { var s = '!'; for (var f = frame; f; f = f.older) debuggeeGlobal.log += s; }; } + ")();"); var dbg = new Debugger; dbg.onNewGlobalObject = function(global) { get.seen = true; }; oomTest(function() { newGlobal({ }) }); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0807a3ec in js::AbstractFramePtr::asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack.h:184 #0 0x0807a3ec in js::AbstractFramePtr::asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack.h:184 #1 0x0824cecb in asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack-inl.h:661 #2 js::AbstractFramePtr::script (this=0xffffc22c) at js/src/vm/Stack-inl.h:664 #3 0x08665164 in js::Debugger::FrameRange::FrameRange (this=this@entry=0xffffc254, frame=..., global=0x0) at js/src/vm/Debugger.cpp:192 #4 0x08665ee1 in js::Debugger::inFrameMaps (frame=...) at js/src/vm/Debugger.cpp:5708 #5 0x0841a148 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109 #6 0x087b815b in js::jit::JitActivation::clearRematerializedFrames (this=this@entry=0xffffc490) at js/src/vm/Stack.cpp:1533 #7 0x087bb6d2 in js::jit::JitActivation::~JitActivation (this=0xffffc490, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1457 #8 0x08302f8f in EnterIon (data=..., cx=0xf7a73020) at js/src/jit/Ion.cpp:2786 #9 js::jit::IonCannon (cx=cx@entry=0xf7a73020, state=...) at js/src/jit/Ion.cpp:2887 #10 0x08745ccf in js::RunScript (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:408 #11 0x08745ede in js::Invoke (cx=0xf7a73020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496 #12 0x087468ae in js::Invoke (cx=cx@entry=0xf7a73020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:530 #13 0x08536f28 in JS_CallFunction (cx=cx@entry=0xf7a73020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2858 #14 0x086ccfda in OOMTest (cx=0xf7a73020, argc=1, vp=0xffffca80) at js/src/builtin/TestingFunctions.cpp:1294 #15 0x0874c60a in js::CallJSNative (cx=0xf7a73020, native=0x86cccd0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #33 main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:7252 eax 0x0 0 ebx 0x9890550 159974736 ecx 0xf7e4488c -136034164 edx 0x0 0 esi 0xffffc254 -15788 edi 0xffffc22c -15828 ebp 0xffffc1f8 4294951416 esp 0xffffc1e0 4294951392 eip 0x807a3ec <js::AbstractFramePtr::asRematerializedFrame() const+42> => 0x807a3ec <js::AbstractFramePtr::asRematerializedFrame() const+42>: movl $0xb8,0x0 0x807a3f6 <js::AbstractFramePtr::asRematerializedFrame() const+52>: call 0x8102c30 <abort()>
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/932fcd51eace user: Boris Zbarsky date: Wed Dec 02 13:52:59 2015 -0500 summary: Bug 1229664. Drop the concept of inner exceptions from Exception/DOMException. r=bholley This iteration took 401.348 seconds to run.
Boris, is bug 1229664 a likely regressor? (The testcase seems to involve exception stuff e.g. onExceptionUnwind)
Blocks: 1229664
Flags: needinfo?(bzbarsky)
Comment 3•8 years ago
|
||
Are you running the browser, or the JS shell? Comment 0 doesn't say clearly. If it's the shell, then that bug is not a likely regressor, because the only files it changed are outside spidermonkey. As in, the objects it touched don't exist in the shell at all.
Flags: needinfo?(bzbarsky)
Comment 5•8 years ago
|
||
Attachment #8732412 -
Flags: review?(jdemooij)
Updated•8 years ago
|
Flags: needinfo?(shu)
Comment 6•8 years ago
|
||
Comment on attachment 8732412 [details] [diff] [review] Fix OOM case when rematerializing frames. Review of attachment 8732412 [details] [diff] [review]: ----------------------------------------------------------------- Looks good.
Attachment #8732412 -
Flags: review?(jdemooij) → review+
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6c3d92cbde28
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Comment 9•8 years ago
|
||
OOM in the Debugger. Very hard to hit, in practice. WONTFIX 47.
You need to log in
before you can comment on or make changes to this bug.
Description
•