JS OOM Testing: Assertion failure: verifiedRange, at js/src/methodjit/BaseCompiler.h:137

RESOLVED DUPLICATE of bug 727344

Status

()

--
critical
RESOLVED DUPLICATE of bug 727344
7 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
The following command aborts/crashes on mozilla-central revision c6f26a8dcd08:

js -m -n -a -A 6527 -f js/src/jit-test/tests/jaeger/bug658240.js


Backtrace of failed allocation (as outputted when compiling with --enable-oom-backtrace and filtered through addr2line):

#0 js/src/debug64-trunk/js(+0x415121) (PrintBacktrace at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:130)
#1 js/src/debug64-trunk/js(+0x415203) (js_malloc at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../dist/include/js/Utility.h:172)
#2 js/src/debug64-trunk/js(+0x415364) (js::SystemAllocPolicy::malloc_(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/shell/../../jsalloc.h:66)
#3 js/src/debug64-trunk/js(+0x73df3b) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:656)
#4 js/src/debug64-trunk/js(+0x73da51) (js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::growStorageBy(unsigned long) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:678)
#5 js/src/debug64-trunk/js(+0x73ccbf) (bool js::Vector<js::mjit::NativeCallStub, 0ul, js::SystemAllocPolicy>::append<js::mjit::NativeCallStub>(js::mjit::NativeCallStub) at /home/decoder/LangFuzz/mozilla-central/js/src/debug64-trunk/./dist/include/js/Vector.h:798)
#6 js/src/debug64-trunk/js(+0x738c97) (js::mjit::NativeStubLinker::init(JSContext*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:441)
#7 js/src/debug64-trunk/js(+0x73b01d) (CallCompiler::generateNativeStub() at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:925)
#8 js/src/debug64-trunk/js(+0x73b697) (js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1032)
#9 [0x7ffdc10ddf76]
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 727344
(Reporter)

Updated

7 years ago
Blocks: 624094
You need to log in before you can comment on or make changes to this bug.