JS OOM Testing: Assertion failure: compartment()->activeInference, at js/src/jsinfer.cpp:2161 or Crash [@ JSString::isAtom]

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

({assertion, crash, testcase})

Trunk
mozilla14
x86_64
Linux
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following command crashes/asserts on mozilla-central revision d45c7d7b0079:

js -m -n -a -A 501026 -f js/src/tests/shell.js -f js/src/tests/e4x/shell.js -f js/src/tests/e4x/GC/shell.js -f js/src/tests/e4x/GC/regress-280844-2.js


Passing through the assertions yields this crash:

Program received signal SIGABRT, Aborted.
out of memory
Assertion failure: str, at ../../jsval.h:702

Program received signal SIGABRT, Aborted.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000442e04 in JSString::isAtom (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:381
381             bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS;
(gdb) bt 4
#0  0x0000000000442e04 in JSString::isAtom (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:381
#1  0x0000000000444db4 in js::CompartmentChecker::check (this=0x7fffffffce30, str=0x0) at ../jscntxtinlines.h:181
#2  0x0000000000444e4a in js::CompartmentChecker::check (this=0x7fffffffce30, v=...) at ../jscntxtinlines.h:189
#3  0x0000000000447f77 in js::assertSameCompartment<JS::Value> (cx=0xb5eae0, t1=...) at ../jscntxtinlines.h:251

Comment 1

5 years ago
Note this assertion is common on oom/low memory conditions with image suck bugs.
Created attachment 613588 [details] [diff] [review]
patch

Bogus assert.
Attachment #613588 - Flags: review?(luke)
Duplicate of this bug: 734972

Updated

5 years ago
Attachment #613588 - Flags: review?(luke) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/43cd822084b3
https://hg.mozilla.org/mozilla-central/rev/43cd822084b3
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14

Comment 6

5 years ago
Matt, I still see this assertion during low/oom conditions due to image-suck at http://mxr.mozilla.org/mozilla-central/source/js/src/jsinfer.cpp#2122. Is that assertion bogus as well?
You need to log in before you can comment on or make changes to this bug.