Closed Bug 735028 Opened 12 years ago Closed 9 years ago

JS OOM Testing: Assertion failure: ok, at js/src/jsiter.cpp:1590

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase) 

The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 9380 -f js/src/jit-test/tests/debug/Frame-onPop-15.js


Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x522b0d) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x52791c) (JSShortString* js::gc::NewGCThing<JSShortString>(JSContext*, js::gc::AllocKind, unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:411)
#2 js/src/debug64-trunk/js(+0x523a54) (js_NewGCShortString(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsgcinlines.h:481)
#3 js/src/debug64-trunk/js(+0x62f094) (js_ConcatStrings(JSContext*, JSString*, JSString*) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.cpp:327)
#4 js/src/debug64-trunk/js(+0x792b95) (js::mjit::stubs::Add(js::VMFrame&) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/StubCalls.cpp:683)
#5 [0x7f8355c46835]
Blocks: 624094
Assignee: general → nobody
Mass-closing old JS OOM reports. I've confirmed that none of these signatures currently appear in FuzzManager, so we can safely assume that the code causing this is gone or has been fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.