Closed Bug 734987 Opened 13 years ago Closed 9 years ago

JS OOM Testing: Assertion failure: enumerators == cx->enumerators, at js/src/jsinterp.cpp:453

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following command aborts on mozilla-central revision c6f26a8dcd08: js -m -n -a -A 52072 -f js/src/jit-test/tests/basic/testComparisons.js Here is the backtrace of the last failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line): #0 js/src/debug64-trunk/js(+0x415121) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:130) #1 js/src/debug64-trunk/js(+0x415203) (js_malloc at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:172) #2 js/src/debug64-trunk/js(+0x415364) (js::SystemAllocPolicy::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../../jsalloc.h:66) #3 js/src/debug64-trunk/js(+0x6e6e87) (js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::createTable(js::SystemAllocPolicy&, unsigned int) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/HashTable.h:345) #4 js/src/debug64-trunk/js(+0x6ea365) (js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::changeTableSize(int) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/HashTable.h:560) #5 js/src/debug64-trunk/js(+0x75f0d2) (js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::checkUnderloaded() at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/HashTable.h:604) #6 js/src/debug64-trunk/js(+0x75ef71) (js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::remove(js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Ptr) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/HashTable.h:765) #7 js/src/debug64-trunk/js(+0x75ed49) (js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::remove(js::detail::HashTable<JSC::ExecutablePool* const, js::HashSet<JSC::ExecutablePool*, js::DefaultHasher<JSC::ExecutablePool*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Ptr) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/HashTable.h:1214) #8 js/src/debug64-trunk/js(+0x75ebc8) (JSC::ExecutableAllocator::releasePoolPages(JSC::ExecutablePool*) at /home/decoder/LangFuzz/mozilla-central/js/src/assembler/jit/ExecutableAllocator.h:245) #9 js/src/debug64-trunk/js(+0x75ebec) (~ExecutablePool at /home/decoder/LangFuzz/mozilla-central/js/src/assembler/jit/ExecutableAllocator.cpp:40) #10 js/src/debug64-trunk/js(+0x4468bd) (void js::Foreground::delete_<JSC::ExecutablePool>(JSC::ExecutablePool*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:607) #11 js/src/debug64-trunk/js(+0x42541f) (JSC::ExecutablePool::release(bool) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../assembler/jit/ExecutableAllocator.h:129) #12 js/src/debug64-trunk/js(+0x69eefb) (js::mjit::JITScript::destroyChunk(JSContext*, unsigned int, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1360) Full log with all allocation backtraces has about 700 kb.
Blocks: 624094
Assignee: general → nobody
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.