Closed
Bug 1263874
Opened 8 years ago
Closed 8 years ago
Assertion failure: !cx->asJSContext()->isExceptionPending(), at js/src/frontend/BytecodeCompiler.cpp:565 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1263871
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update,ignore])
Attachments
(1 file, 1 obsolete file)
|
6.10 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager):
lfLogBuffer = `b["cd e"] = { "h i"() {} }`;
loadFile("")
loadFile(lfLogBuffer)
function loadFile(lfVarx) oomTest(function() {
eval(lfVarx)
})
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000c13fcd in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff9b00, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:565
#0 0x0000000000c13fcd in BytecodeCompiler::compileScript (this=this@entry=0x7fffffff9b00, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:565
#1 0x0000000000c14133 in js::frontend::CompileScript (cx=cx@entry=0x7ffff6908800, alloc=<optimized out>, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x7ffff7e899b8, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:742
#2 0x00000000008468bc in EvalKernel (cx=cx@entry=0x7ffff6908800, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=scopeobj@entry=..., pc=<optimized out>) at js/src/builtin/Eval.cpp:319
#3 0x0000000000846d83 in js::DirectEval (cx=cx@entry=0x7ffff6908800, args=...) at js/src/builtin/Eval.cpp:439
#4 0x0000000000617535 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffb748, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb6f8, res=...) at js/src/jit/BaselineIC.cpp:6100
#5 0x00007ffff7ff1a1f in ?? ()
[...]
#37 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffff9730 140737488328496
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff9ae0 140737488329440
rsp 0x7fffffff9640 140737488328256
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9400 140737488327680
r11 0x7ffff6c27ee0 140737333329632
r12 0x7fffffff96b0 140737488328368
r13 0x7ffff698b2c8 140737330590408
r14 0x7fffffff9b00 140737488329472
r15 0x7fffffffa168 140737488331112
rip 0xc13fcd <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2157>
=> 0xc13fcd <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2157>: movl $0x235,0x0
0xc13fd8 <BytecodeCompiler::compileScript(JS::Handle<JSObject*>, JS::Handle<JSScript*>)+2168>: callq 0x4ab6f0 <abort()>
Might be related to bug 1263871 but the stack differed, so filing separately.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,ignore]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision afd82f887093). JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9c365490d4ce user: Jon Coppeard date: Tue Oct 13 13:37:07 2015 +0100 summary: Bug 1212469 - Make oomTest() into a shell function r=nbp This iteration took 274.969 seconds to run.
JIT assembler stuff is on the OOM_VERBOSE=1 stack, setting needinfo? from Jan/Hannes as a start.
Flags: needinfo?(jdemooij)
Flags: needinfo?(hv1989)
|
||
Comment 4•8 years ago
|
||
Looks like a NameResolver OOM issue -> duplicate of bug 1263871.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Flags: needinfo?(hv1989)
Resolution: --- → DUPLICATE
|
|
||
Comment 5•8 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3) > JIT assembler stuff is on the OOM_VERBOSE=1 stack, setting needinfo? from > Jan/Hannes as a start. I didn't get this stack locally - I got one with NameResolver frames on the stack.
Not sure why this is the case. I double checked with m-c rev ae7413abfa4d and still didn't get any involving NameResolver on the stack.
Jan, you're right. It turns out that the OOM allocations are failing on a separate thread, so I have to continue through js_failedAllocBreakpoint till I hit the correct allocation failure on the correct thread.
Attachment #8742597 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•