729910 - Assertion failure: str, at ../../jsval.h:702 or Crash [@ JSString::isAtom] with OOM

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test asserts on mozilla-central revision 9bde0d25d76e (options -m -n -a):


var lfcode = new Array();
lfcode.push("function test()\
    gc();\
    gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 4*1024);\
  function complexMult(a, b) {\
  function complexAdd(a, b) {\
  function abs(a) {\
  function computeEscapeSpeed(c) {\
  function createMandelSet(realRange, imagRange) {}\
      }\
    }\
  }\
}\
");
lfcode.push("function testLambdaCtor( _    )  {\
    for (var x = 0; x < 2; ++x) {\
        var f = function(){};\
        if (x == 1) gc();\
        q = new f;\
    }\
    return q.__proto__ === (testLambdaCtor(\"9.2.1.7 XMLList [[DeepCopy]]\"));\
}\
assertEq(testLambdaCtor(), true);\
");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
        if (file == "evaluate") {
        } else {
                evaluate(file); //loadFile(file);
        }
}
function loadFile(lfVarx) {
        try {
                if (lfVarx.substr(-3) == ".js") {
                } else {
                        evaluate(lfVarx);
                }
        } catch (lfVare) {      }
}


Originally, this asserted as:

Assertion failure: !hasLazyType(), at ../jsobj.h:867


Crashes afterwards seem like safe null-pointer crashes (probably due to OOM).

Comment 1

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: don't oom in shell GC

Missing null check.

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f00bab9999f9

Comment 3

[Marco Bonardo [:mak]]

https://hg.mozilla.org/mozilla-central/rev/f00bab9999f9