JS OOM Testing: Assertion failure: nesting->activeFrames != 0, at js/src/jsinfer.cpp:5394

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
7 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 6113 -f js/src/jit-test/tests/jaeger/recompile/bug641269.js


Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x58e1a5) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x595994) (js::BaseShape* js::gc::NewGCThing<js::BaseShape>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/jsgcinlines.h:411)
#2 js/src/debug64-trunk/js(+0x58f171) (js_NewGCBaseShape(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsgcinlines.h:506)
#3 js/src/debug64-trunk/js(+0x594b53) (js::BaseShape::getUnowned(JSContext*, js::StackBaseShape const&) at /home/decoder/LangFuzz/mozilla-central/js/src/jsscope.cpp:1322)
#4 js/src/debug64-trunk/js(+0x59461c) (JSObject::setFlag(JSContext*, unsigned int, JSObject::GenerateShape) at /home/decoder/LangFuzz/mozilla-central/js/src/jsscope.cpp:1240)
#5 js/src/debug64-trunk/js(+0x4d91dc) (JSObject::setDelegate(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsobjinlines.h:858)
#6 js/src/debug64-trunk/js(+0x4fa241) (js::ScopeObject::setEnclosingScope(JSContext*, JSObject&) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../vm/ScopeObject-inl.h:57)
#7 js/src/debug64-trunk/js(+0x603ea4) (js::CallObject::create(JSContext*, JSScript*, JSObject&, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/ScopeObject.cpp:207)
#8 js/src/debug64-trunk/js(+0x6041b0) (js::CallObject::createForFunction(JSContext*, js::StackFrame*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/ScopeObject.cpp:250)
#9 js/src/debug64-trunk/js(+0x4fbbe7) (js::StackFrame::functionPrologue(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/Stack-inl.h:373)
#10 js/src/debug64-trunk/js(+0x50c4f5) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:2736)
#11 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079)


This could be bug 701764. Filing anyway to make sure it gets covered.
This testcase is identical to that in bug 735016, and gives that bug's failure rather than the one above.
(Reporter)

Updated

7 years ago
Blocks: 624094
(Assignee)

Updated

4 years ago
Assignee: general → nobody
(Reporter)

Comment 2

3 years ago
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.