Closed Bug 735046 Opened 13 years ago Closed 13 years ago

JS OOM Testing: Assertion failure: verifiedRange, at js/src/methodjit/BaseCompiler.h:137

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 727344

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following command aborts/crashes on mozilla-central revision c6f26a8dcd08: js -m -n -a -A 6527 -f js/src/jit-test/tests/jaeger/bug658240.js Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line): #0 js/src/debug64-trunk/js(+0x415121) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:130) #1 js/src/debug64-trunk/js(+0x415203) (js_malloc at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:172) #2 js/src/debug64-trunk/js(+0x415364) (js::SystemAllocPolicy::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../../jsalloc.h:66) #3 js/src/debug64-trunk/js(+0x73df3b) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:656) #4 js/src/debug64-trunk/js(+0x73da51) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::growStorageBy(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:678) #5 js/src/debug64-trunk/js(+0x73ccbf) (bool js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::append<js::mjit::NativeCallStub>(js::mjit::NativeCallStub) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:798) #6 js/src/debug64-trunk/js(+0x738c97) (js::mjit::NativeStubLinker::init(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:441) #7 js/src/debug64-trunk/js(+0x73b01d) (CallCompiler::generateNativeStub() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:925) #8 js/src/debug64-trunk/js(+0x73b697) (js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1032) #9 [0x7ffdc10ddf76]
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Blocks: 624094
You need to log in before you can comment on or make changes to this bug.