Closed Bug 734974 Opened 13 years ago Closed 13 years ago

JS OOM Testing: Assertion failure: cx->compartment->types.inferenceEnabled, at ../jsinferinlines.h:213

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

patch
646 bytes, patch
Details | Diff | Splinter Review
The following command aborts on mozilla-central revision c6f26a8dcd08: js -m -n -a -A 6832 -f js/src/jit-test/tests/basic/bug535474.js Here's the full backtrace of the last failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line): #0 js/src/debug64-trunk/js(+0x421411) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130) #1 js/src/debug64-trunk/js(+0x4214f3) (js_malloc at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:172) #2 js/src/debug64-trunk/js(+0x42163c) (js::OffTheBooks::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:585) #3 js/src/debug64-trunk/js(+0x5784c2) (GrowStuff at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:1098) #4 js/src/debug64-trunk/js(+0x5761f6) (fill2 at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:142) #5 js/src/debug64-trunk/js(+0x5769d6) (cvt_s at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:394) #6 js/src/debug64-trunk/js(+0x5780e2) (dosprintf at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:1001) #7 js/src/debug64-trunk/js(+0x578696) (JS_vsmprintf at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:1149) #8 js/src/debug64-trunk/js(+0x578623) (JS_smprintf at /home/decoder/LangFuzz/mozilla-central/js/src/jsprf.cpp:1127) #9 js/src/debug64-trunk/js(+0x41217e) (my_ErrorReporter at /home/decoder/LangFuzz/mozilla-central/js/src/shell/js.cpp:4214) #10 js/src/debug64-trunk/js(+0x47640d) (js_ReportOutOfMemory(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jscntxt.cpp:410) #11 js/src/debug64-trunk/js(+0x478273) (JSRuntime::onOutOfMemory(void*, unsigned long, JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jscntxt.cpp:1159) #12 js/src/debug64-trunk/js(+0x785bfb) (js::TempAllocPolicy::onOutOfMemory(void*, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/jsalloc.cpp:48) #13 js/src/debug64-trunk/js(+0x421d3f) (js::TempAllocPolicy::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/jsalloc.h:101) #14 js/src/debug64-trunk/js(+0x4f27fa) (js::Vector<js::types::RecompileInfo, 0ul, js::TempAllocPolicy>::convertToHeapStorage(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:656) #15 js/src/debug64-trunk/js(+0x4f09e7) (js::Vector<js::types::RecompileInfo, 0ul, js::TempAllocPolicy>::growStorageBy(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:678) #16 js/src/debug64-trunk/js(+0x4ed711) (bool js::Vector<js::types::RecompileInfo, 0ul, js::TempAllocPolicy>::append<js::types::RecompileInfo>(js::types::RecompileInfo) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:798) #17 js/src/debug64-trunk/js(+0x4debff) (js::types::TypeCompartment::addPendingRecompile(JSContext*, js::types::RecompileInfo const&) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinfer.cpp:2228) #18 js/src/debug64-trunk/js(+0x4dca90) (TypeConstraintFreezeTypeTag::newType(JSContext*, js::types::TypeSet*, js::types::Type) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinfer.cpp:1464) #19 js/src/debug64-trunk/js(+0x44fc22) (js::types::TypeCompartment::resolvePending(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsinferinlines.h:790) #20 js/src/debug64-trunk/js(+0x4500c4) (js::types::TypeSet::addType(JSContext*, js::types::Type) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsinferinlines.h:1083) #21 js/src/debug64-trunk/js(+0x4e80bf) (js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinfer.cpp:5135) #22 js/src/debug64-trunk/js(+0x4fa98a) (js::types::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, JS::Value const&) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsinferinlines.h:575) #23 js/src/debug64-trunk/js(+0x795d4d) (js::mjit::stubs::TypeBarrierHelper(js::VMFrame&, unsigned int) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/StubCalls.cpp:1676) #24 [0x7f93011ff64a]
Attached patch patchSplinter Review
Handle another state that can only occur if types have been nuked --- lazy arguments were used for a script in the past, but inference has since been disabled.
Attachment #613632 - Flags: review?(luke)
Blocks: 624094
Attachment #613632 - Flags: review?(luke)
This code has been removed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: