Closed Bug 735032 Opened 12 years ago Closed 12 years ago

JS OOM Testing: Assertion failure: spoff == js_ReconstructStackDepth(cx_, fp_->script(), pc_), at js/src/vm/Stack.cpp:1151 or Crash [@ CrashIfInvalidSlot]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

The following command aborts on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 6285 -f js/src/jit-test/tests/jaeger/recompile/memory-04.js


Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x403959) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x405966) (js::LifoAlloc::alloc(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../../ds/LifoAlloc.h:224)
#2 js/src/debug64-trunk/js(+0x78c88e) (js::analyze::Bytecode* js::LifoAlloc::new_<js::analyze::Bytecode>() at /home/decoder/LangFuzz/mozilla-central/js/src/ds/LifoAlloc.h:320)
#3 js/src/debug64-trunk/js(+0x787f1d) (js::analyze::ScriptAnalysis::analyzeBytecode(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsanalyze.cpp:654)
#4 js/src/debug64-trunk/js(+0x4e9243) (JSScript::makeAnalysis(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinfer.cpp:5549)
#5 js/src/debug64-trunk/js(+0x4d8e30) (JSScript::ensureRanAnalysis(JSContext*, JSObject*) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsinferinlines.h:1394)
#6 js/src/debug64-trunk/js(+0x4e7fe6) (js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinfer.cpp:5137)
#7 js/src/debug64-trunk/js(+0x4fa98a) (js::types::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, JS::Value const&) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/../jsinferinlines.h:575)
#8 js/src/debug64-trunk/js(+0x5059b4) (js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) at /home/decoder/LangFuzz/mozilla-central/js/src/jsinterp.cpp:1906)
#9 js/src/debug64-trunk/js(+0x69e1e3) (js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079)


This issue seems to be independent of the one in bug 732496.
Blocks: 735036
No longer blocks: 735036
Blocks: 624094
Now it just prints "out of memory" 3 times.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.