Closed
Bug 735046
Opened 13 years ago
Closed 13 years ago
JS OOM Testing: Assertion failure: verifiedRange, at js/src/methodjit/BaseCompiler.h:137
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 727344
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase)
The following command aborts/crashes on mozilla-central revision c6f26a8dcd08:
js -m -n -a -A 6527 -f js/src/jit-test/tests/jaeger/bug658240.js
Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):
#0 js/src/debug64-trunk/js(+0x415121) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x415203) (js_malloc at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:172)
#2 js/src/debug64-trunk/js(+0x415364) (js::SystemAllocPolicy::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../../jsalloc.h:66)
#3 js/src/debug64-trunk/js(+0x73df3b) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:656)
#4 js/src/debug64-trunk/js(+0x73da51) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::growStorageBy(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:678)
#5 js/src/debug64-trunk/js(+0x73ccbf) (bool js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::append<js::mjit::NativeCallStub>(js::mjit::NativeCallStub) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:798)
#6 js/src/debug64-trunk/js(+0x738c97) (js::mjit::NativeStubLinker::init(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:441)
#7 js/src/debug64-trunk/js(+0x73b01d) (CallCompiler::generateNativeStub() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:925)
#8 js/src/debug64-trunk/js(+0x73b697) (js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1032)
#9 [0x7ffdc10ddf76]
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•