Closed
Bug 735019
Opened 12 years ago
Closed 9 years ago
JS OOM Testing: Assertion failure: nesting->activeFrames != 0, at js/src/jsinfer.cpp:5394
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
The following command aborts on mozilla-central revision c6f26a8dcd08: js -m -n -a -A 6113 -f js/src/jit-test/tests/jaeger/recompile/bug641269.js Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line): #0 js/src/debug64-trunk/js(+0x58e1a5) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130) #1 js/src/debug64-trunk/js(+0x595994) (js::BaseShape* js::gc::NewGCThing<js::BaseShape>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/jsgcinlines.h:411) #2 js/src/debug64-trunk/js(+0x58f171) (js_NewGCBaseShape(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsgcinlines.h:506) #3 js/src/debug64-trunk/js(+0x594b53) (js::BaseShape::getUnowned(JSContext*, js::StackBaseShape const&) at /home/decoder/LangFuzz/mozilla-central/js/src/jsscope.cpp:1322) #4 js/src/debug64-trunk/js(+0x59461c) (JSObject::setFlag(JSContext*, unsigned int, JSObject::GenerateShape) at /home/decoder/LangFuzz/mozilla-central/js/src/jsscope.cpp:1240) #5 js/src/debug64-trunk/js(+0x4d91dc) (JSObject::setDelegate(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsobjinlines.h:858) #6 js/src/debug64-trunk/js(+0x4fa241) (js::ScopeObject::setEnclosingScope(JSContext*, JSObject&) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../vm/ScopeObject-inl.h:57) #7 js/src/debug64-trunk/js(+0x603ea4) (js::CallObject::create(JSContext*, JSScript*, JSObject&, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/ScopeObject.cpp:207) #8 js/src/debug64-trunk/js(+0x6041b0) (js::CallObject::createForFunction(JSContext*, js::StackFrame*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/ScopeObject.cpp:250) #9 js/src/debug64-trunk/js(+0x4fbbe7) (js::StackFrame::functionPrologue(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/Stack-inl.h:373) #10 js/src/debug64-trunk/js(+0x50c4f5) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:2736) #11 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079) This could be bug 701764. Filing anyway to make sure it gets covered.
Comment 1•12 years ago
|
||
This testcase is identical to that in bug 735016, and gives that bug's failure rather than the one above.
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Reporter | ||
Comment 2•9 years ago
|
||
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•