Closed Bug 1299103 Opened 9 years ago Closed 9 years ago

Assertion failure: cx_->runtime()->profilingActivation_ == this, at js/src/vm/Stack.cpp:1685 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1293311
Tracking Flags:
Tracking Status
firefox51 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

The following testcase crashes on mozilla-central revision 4f72b1d05267 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off): lfLogBuffer = `function eval(source) {}`.split(); lfCodeBuffer = "" while (true) { line = lfLogBuffer.shift() if (line == null) { loadFile(lfCodeBuffer) lfCodeBuffer = "" } lfCodeBuffer += line + "\n" } function loadFile(lfVarx) { oomTest(function() { eval(lfVarx) }) } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0875a2e6 in js::Activation::unregisterProfiling (this=0xffffc118) at js/src/vm/Stack.cpp:1685 #0 0x0875a2e6 in js::Activation::unregisterProfiling (this=0xffffc118) at js/src/vm/Stack.cpp:1685 #1 0x08777c89 in js::jit::JitActivation::~JitActivation (this=0xffffc118, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1406 #2 0x081f889e in EnterBaseline (cx=cx@entry=0xf7953000, data=...) at js/src/jit/BaselineJIT.cpp:146 #3 0x082261c4 in js::jit::EnterBaselineAtBranch (cx=0xf7953000, fp=0xf1233018, pc=0xf1234771 "\343\201C\b\377\377\377\225晝\f\210\t\230\001ш\016ɐ\321(p\235\004\210\004\231\003\220\210\004ш\aɐ\017\226\210\bӐ\210\bј\t\210\004ܘ\003\210\aɘ\f\230\020\210\001") at js/src/jit/BaselineJIT.cpp:263 #4 0x086fbf9d in Interpret (cx=0xf7953000, state=...) at js/src/vm/Interpreter.cpp:1911 [...] #14 main (argc=4, argv=0xffffcde4, envp=0xffffcdf8) at js/src/shell/js.cpp:7623 eax 0x0 0 ebx 0xffffc118 -16104 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0x8c33ff4 147013620 edi 0xffffc2c0 -15680 ebp 0xffffc068 4294951016 esp 0xffffc060 4294951008 eip 0x875a2e6 <js::Activation::unregisterProfiling()+182> => 0x875a2e6 <js::Activation::unregisterProfiling()+182>: movl $0x0,0x0 0x875a2f0 <js::Activation::unregisterProfiling()+192>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, failed due to error (try manually).
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b7f7ae14590a).
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d128c9990a76 parent: 311975:3d9cabea1e56 user: Jan de Mooij date: Wed Aug 31 10:58:15 2016 +0200 summary: Bug 1298878 - Don't store the actual builtin constructor properties on the global in reserved slots. r=Waldo Jan, is bug 1263355 a likely regressor and bug 1298878 a likely fix?
Flags: needinfo?(jdemooij)
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
This is bug 1293311.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Group: core-security-release
Setting core-security-release because bug 1293311 is marked as such.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.