Closed
Bug 626610
Opened 14 years ago
Closed 14 years ago
Crash [@ js::Oracle::Oracle]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr][hardblocker])
Crash Data
Attachments
(1 file)
60.49 KB,
text/plain
|
Details |
Attached testcase (not fully reduced as it's very fragile) crashes js opt shell at js::Oracle::Oracle, but merely shows the malloc error (shown below) on js debug shell, without -m or -j. Related to bug 624645 or bug 624878? It showed the same symptoms as bug 624645 before bug 624878 landed. Tested on: http://hg.mozilla.org/tracemonkey/rev/4046ef71ddc2 __defineSetter__("window", Object.defineProperties) for (a = 0; a < 2 && window ? 3951632192 : Math; ++a) { evalcx('') } is another testcase that does not crash but shows the same malloc errors. === opt shell stdout: js-opt-32-tm-darwin(68681) malloc: *** mmap(size=16777216) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug js-opt-32-tm-darwin(68681) malloc: *** mmap(size=16777216) failed (error code=12) *** error: can't allocate region *** set a breakpoint in malloc_error_break to debug Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x00190c13 in js::Oracle::Oracle () (gdb) bt #0 0x00190c13 in js::Oracle::Oracle () #1 0x0019301c in js::InitJIT () #2 0x00036acd in JSCompartment::init () #3 0x00071f7d in js::gc::NewCompartment () #4 0x0001c6ce in JS_NewCompartmentAndGlobalObject () #5 0x00009a9d in EvalInContext () #6 0x0008f522 in js::Interpret () #7 0x0009cc1d in js::Execute () #8 0x00019438 in JS_ExecuteScript () #9 0x00006ba9 in Process () #10 0x0000afc2 in Shell () #11 0x0000b55f in main () (gdb) x/i $eip 0x190c13 <_ZN2js6OracleC2Ev+563>: mov %eax,(%esi,%ecx,4) (gdb) x/b $eax 0x0: Cannot access memory at address 0x0 (gdb) x/b $esi 0x0: Cannot access memory at address 0x0 (gdb) x/b $ecx 0x0: Cannot access memory at address 0x0
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Comment 1•14 years ago
|
||
Looks like an OOM crash, hopefully fairly easy to fix.
blocking2.0: ? → betaN+
Whiteboard: [ccbr] → [ccbr][hardblocker]
Comment 2•14 years ago
|
||
Bug 624878 landed yesterday, it should have fixed this. Gary, can you try again with an up-to-date TraceMonkey build?
Comment 3•14 years ago
|
||
I still get this as of http://hg.mozilla.org/tracemonkey/rev/75354982793c.
Comment 4•14 years ago
|
||
(In reply to comment #3) > I still get this as of http://hg.mozilla.org/tracemonkey/rev/75354982793c. Actually, I get a different error though: Assertion failure: !entered && i < mLength, at c:\sources\tracemonkey\js\src\jsvector.h:304 At first I thought it was just a unix/windows thing, but maybe that assert is a residual bug after the other was fixed.
Comment 5•14 years ago
|
||
Completely different bug, by the looks of it. Can you file a new bug, including a stack trace? Thanks.
Comment 6•14 years ago
|
||
Yes, it is a new bug. I can't get a stack trace for it because I can only repro it on Windows, where the debugger fails to attach to the crashing process. Also, opt builds run fine, and correctly generate an OOM error. So, seems like a relatively minor bug.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 7•14 years ago
|
||
This bug was not a dupe of bug 624878 - it instead was fixed by bug 623428 - which landed later than bug 624878. === Due to skipped revisions, the first good revision could be any of: changeset: 60651:f2c9c558e51e user: Nicholas Nethercote date: Tue Jan 18 14:58:34 2011 -0800 summary: Bug 623428 - TM: avoid bloat caused by multiple mReserve arrays in VMAllocator (NJ-specific part). r=edwsmith. changeset: 60652:b9ea6138a9e5 user: Nicholas Nethercote date: Tue Jan 18 15:04:48 2011 -0800 summary: Update nanojit-import-rev stamp. changeset: 60653:d90128361cb8 user: Nicholas Nethercote date: Tue Jan 18 15:05:43 2011 -0800 summary: Bug 623428 - TM: avoid bloat caused by multiple mReserve arrays in VMAllocator (TM-specific part). r=gal.
Resolution: DUPLICATE → FIXED
Comment 8•14 years ago
|
||
That's surprising. I will have to dig into this a bit more to understand what happened.
Updated•13 years ago
|
Crash Signature: [@ js::Oracle::Oracle]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•