Closed
Bug 626492
Opened 15 years ago
Closed 15 years ago
Assertion failure after OOM: jspropertytree.cpp:241
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: paul.biggar, Unassigned)
References
Details
Using bug 624094, assertion failure after OOM:
Running ../jit-test/tests/arguments/args-createontrace.js, 117/211
shell/js -A 117 -m -j -p -e "const platform='darwin'; const libdir='../jit-test/lib/';" -f ../jit-test/lib/prolog.js -f ../jit-test/tests/arguments/args-createontrace.js
Found problem('', 'out of memory\nAssertion failure: JSID_BITS(id) == JSID_TYPE_VOID, at ../jsapi.h:452\n', -11)
|
Reporter | |
Comment 1•15 years ago
|
||
This one is too difficult for me I think, at least for now.
Here's some more detailed information anyway:
An allocation failure at allocation 156/260 in ../jit-test/tests/arguments/args-createontrace.js causes problems (detected using bug 624094)
Command (from obj directory, using patch from bug 624094):
shell/js -A 156 -m -j -p -e "const platform='darwin'; const libdir='../jit-test/lib/';" -f ../jit-test/lib/prolog.js -f ../jit-test/tests/arguments/args-createontrace.js
stdout, stderr, exitcode:
('', 'out of memory\nAssertion failure: JSID_BITS(id) == JSID_TYPE_VOID, at ../jsapi.h:452\n', -11)
Diagnosis:
- segfault after OOM warning
Stack trace (from valgrind):
The site of the failed allocation is:
at: VALGRIND_PRINTF_BACKTRACE (valgrind.h:4477)
by: js_calloc (jsutil.h:237)
by: js::KidsChunk::create(JSContext*) (jspropertytree.cpp:121)
by: js::PropertyTree::insertChild(JSContext*, js::Shape*, js::Shape*) (jspropertytree.cpp:175)
by: js::PropertyTree::getChild(JSContext*, js::Shape*, js::Shape const&) (jspropertytree.cpp:435)
by: js::Shape::getChild(JSContext*, js::Shape const&, js::Shape**) (jsscope.cpp:517)
by: js::Bindings::add(JSContext*, JSAtom*, js::BindingKind) (jsscript.cpp:158)
by: js::Bindings::addArgument(JSContext*, JSAtom*, unsigned short*) (jsscript.h:247)
by: js::Parser::functionArguments(JSTreeContext&, JSFunctionBox*, JSParseNode**) (jsparse.cpp:2959)
by: js::Parser::functionDef(JSAtom*, js::Parser::FunctionType, unsigned int) (jsparse.cpp:3122)
by: js::Parser::functionStmt() (jsparse.cpp:3351)
by: js::Parser::statement() (jsparse.cpp:5930)
Invalid read of size x
at: js::PropertyTree::removeChild(JSContext*, js::Shape*) (jspropertytree.cpp:241)
by: js::PropertyTree::sweepShapes(JSContext*) (jspropertytree.cpp:774)
by: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2478)
by: GCUntilDone(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2728)
by: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2799)
by: js_DestroyContext(JSContext*, JSDestroyContextMode) (jscntxt.cpp:1075)
by: JS_DestroyContext (jsapi.cpp:989)
by: DestroyContext(JSContext*, bool) (js.cpp:5335)
by: main (js.cpp:5568)
Address 0x is bytes inside a block of size free'd
at: free (vg_replace_malloc.c:366)
by: js_free (jsutil.h:247)
by: js::PropertyTree::sweepShapes(JSContext*) (jspropertytree.cpp:793)
by: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2478)
by: GCUntilDone(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2728)
by: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2799)
by: js_DestroyContext(JSContext*, JSDestroyContextMode) (jscntxt.cpp:1075)
by: JS_DestroyContext (jsapi.cpp:989)
by: DestroyContext(JSContext*, bool) (js.cpp:5335)
by: main (js.cpp:5568)
Invalid write of size x
at: JS_Assert (jsutil.cpp:87)
by: JSID_IS_VOID (jsapi.h:451)
by: js::PropertyTree::removeChild(JSContext*, js::Shape*) (jspropertytree.cpp:241)
by: js::PropertyTree::sweepShapes(JSContext*) (jspropertytree.cpp:774)
by: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2478)
by: GCUntilDone(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2728)
by: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2799)
by: js_DestroyContext(JSContext*, JSDestroyContextMode) (jscntxt.cpp:1075)
by: JS_DestroyContext (jsapi.cpp:989)
by: DestroyContext(JSContext*, bool) (js.cpp:5335)
by: main (js.cpp:5568)
Address 0x is not stack'd, malloc'd or (recently) free'd
|
||
Comment 2•15 years ago
|
||
Potentially me, I see Bindings in the stack. Will investigate soon.
Assignee: general → jwalden+bmo
This is a bug in the property tree. In insertChild, we do child->setParent(parent) and then OOM. Then later, we get messed up because the child doesn't really belong to the parent.
I'll fold a fix into the patch for bug 609104, which rejiggers all this code anyway.
|
|
Reporter | |
Comment 4•15 years ago
|
||
This no longer appears in my logs, so I assume bug 609104 fixed it.
Status: NEW → RESOLVED
Closed: 15 years ago
Component: JavaScript Engine → jemalloc
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b10
|
|
Reporter | |
Comment 5•15 years ago
|
||
Don't remember changing this stuff.
Assignee: jwalden+bmo → general
Component: jemalloc → JavaScript Engine
Target Milestone: mozilla2.0b10 → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•