Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: gkw, Assigned: dmandelin)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
new(function() {
    #1#
})

asserts js debug shell on TM changeset ee1746020149 with -m at Assertion failure: unsigned(sp - entries) < nargs + script->nslots,
(Reporter)

Updated

7 years ago
blocking2.0: betaN+ → ?
(Reporter)

Comment 1

7 years ago
Due to skipped revisions, the first bad revision could be any of:

changeset:   55675:e000b5963fde
user:        David Anderson
date:        Fri Oct 15 11:36:56 2010 -0700
summary:     Remove JSOP_BEGIN and fix tracer integration issues (bug 603044, r=luke+dmandelin).

changeset:   55676:ae031ec5ad63
user:        David Anderson
date:        Mon Oct 18 20:30:36 2010 -0700
summary:     Build bustage fix.

So likely to be bug 603044.
Blocks: 603044
A bogus assertion. Fixable per script->hasSharps() usage in js::Execute.

/be
(Reporter)

Comment 3

7 years ago
Created attachment 486350 [details]
opt crash testcase

I could make another testcase (that asserts similarly in a debug shell) crash in an opt shell, but it has to lie in a subdirectory for some reason.

===

(gdb) r
Starting program: /Users/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-56418-1c573c884629/js-opt-32-tm-darwin -m test/w36966-cj.js
Reading symbols for shared libraries .+++...................................................................................... done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000001
0x001eec6e in js::mjit::JITScript::release ()
(gdb) bt
#0  0x001eec6e in js::mjit::JITScript::release ()
#1  0x001eefd7 in js::mjit::ReleaseScriptCode ()
(gdb) x/i $eip
0x1eec6e <_ZN2js4mjit9JITScript7releaseEv+14>:  mov    (%edi),%eax
(gdb) x/b $edi
0x1:    Cannot access memory at address 0x1
(gdb) x/b $eax
0x413580:       0x02
(gdb)
(Reporter)

Updated

7 years ago
Keywords: crash
Summary: "Assertion failure: unsigned(sp - entries) < nargs + script->nslots," → Crash [@ js::mjit::JITScript::release] or "Assertion failure: unsigned(sp - entries) < nargs + script->nslots,"

Updated

7 years ago
blocking2.0: ? → betaN+
(Assignee)

Updated

7 years ago
Assignee: general → dmandelin
(Assignee)

Comment 4

7 years ago
Created attachment 488096 [details] [diff] [review]
Patch
Attachment #488096 - Flags: review?(dvander)
Attachment #488096 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

7 years ago
http://hg.mozilla.org/tracemonkey/rev/258744efa972
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey

Comment 6

7 years ago
http://hg.mozilla.org/mozilla-central/rev/258744efa972
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::mjit::JITScript::release]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug606662-2.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.