Closed Bug 606662 Opened 14 years ago Closed 14 years ago

Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

opt crash testcase
138 bytes, text/plain
Details
Patch
671 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
new(function() {
    #1#
})

asserts js debug shell on TM changeset ee1746020149 with -m at Assertion failure: unsigned(sp - entries) < nargs + script->nslots,
blocking2.0: betaN+ → ?
Due to skipped revisions, the first bad revision could be any of:

changeset:   55675:e000b5963fde
user:        David Anderson
date:        Fri Oct 15 11:36:56 2010 -0700
summary:     Remove JSOP_BEGIN and fix tracer integration issues (bug 603044, r=luke+dmandelin).

changeset:   55676:ae031ec5ad63
user:        David Anderson
date:        Mon Oct 18 20:30:36 2010 -0700
summary:     Build bustage fix.

So likely to be bug 603044.
Blocks: 603044
A bogus assertion. Fixable per script->hasSharps() usage in js::Execute.

/be
Attached file opt crash testcase 
I could make another testcase (that asserts similarly in a debug shell) crash in an opt shell, but it has to lie in a subdirectory for some reason.

===

(gdb) r
Starting program: /Users/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-56418-1c573c884629/js-opt-32-tm-darwin -m test/w36966-cj.js
Reading symbols for shared libraries .+++...................................................................................... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000001
0x001eec6e in js::mjit::JITScript::release ()
(gdb) bt
#0  0x001eec6e in js::mjit::JITScript::release ()
#1  0x001eefd7 in js::mjit::ReleaseScriptCode ()
(gdb) x/i $eip
0x1eec6e <_ZN2js4mjit9JITScript7releaseEv+14>:  mov    (%edi),%eax
(gdb) x/b $edi
0x1:    Cannot access memory at address 0x1
(gdb) x/b $eax
0x413580:       0x02
(gdb)
Keywords: crash
Summary: "Assertion failure: unsigned(sp - entries) < nargs + script->nslots," → Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"
blocking2.0: ? → betaN+
Assignee: general → dmandelin
Attached patch PatchSplinter Review 

        Attachment #488096 -
        Flags: review?(dvander)

        Attachment #488096 -
        Flags: review?(dvander) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/258744efa972
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/258744efa972
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::JITScript::release]

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug606662-2.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: