Closed
Bug 744053
Opened 13 years ago
Closed 13 years ago
Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] or Crash [@ JSScript::ReleaseCode]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla15
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, crash, testcase, Whiteboard: js-triage-done)
Crash Data
Attachments
(1 file)
1.09 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts/crashes on mozilla-central revision 3fa30b0edd15 (options -m -n -a):
function printStatus (msg) {}
function printBugNumber (num) {
if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) { }
}
function enterFunc (funcName)
function getFailedCases() {}
function jit(on) {}
function f() {
var ss = [new f("abc"), new ("\u00c2" ) ((500)), new String("quux")];
}
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
for (var i = 0; f("set1") ^ this && Number(setTime); i++) {}
Crash backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
1318 for (unsigned i = 0; i < nchunks; i++)
(gdb) bt
#0 0x000000000069f3cf in js::mjit::JITScript::destroy (this=0x0, fop=0x7ffff7fb0aa8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1318
#1 0x000000000069f999 in JSScript::ReleaseCode (fop=0x7ffff7fb0aa8, jith=0x7ffff61074e8) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1456
#2 0x00000000006b3cbe in js::mjit::Compiler::compile (this=0x7fffffff84d0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:149
#3 0x00000000006b7036 in js::mjit::CanMethodJIT (cx=0xb77a80, script=0x7ffff6107480, pc=0xb7da38 "Z", construct=true, request=js::mjit::CompileRequest_Interpreter)
at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:993
#4 0x00000000005086fb in js::Interpret (cx=0xb77a80, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2726
#5 0x000000000069e8dc in js::mjit::EnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, stackLimit=0x7ffff67db000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079
#6 0x000000000069ea95 in CheckStackAndEnterMethodJIT (cx=0xb77a80, fp=0x7ffff63fb030, code=0x7ffff7f3e078, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111
#7 0x000000000069eb54 in js::mjit::JaegerShot (cx=0xb77a80, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1123
#8 0x00000000004fbd1d in js::RunScript (cx=0xb77a80, script=0x7ffff6107538, fp=0x7ffff63fb030) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:469
Looks like a save null-deref due to OOM.
Reporter | ||
Updated•13 years ago
|
Crash Signature: [@ js::mjit::JITScript::destroy] → [@ js::mjit::JITScript::destroy]
[@ JSScript::ReleaseCode]
Summary: Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] → Assertion failure: isValid(), at ../../jsscript.h:380 or Crash [@ js::mjit::JITScript::destroy] or Crash [@ JSScript::ReleaseCode]
Comment 1•13 years ago
|
||
Reproducible on Mac OS X with the following code:
gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function f() { var x = [ function g() { f() }, new f("abc") ] }
f()
Comment 2•13 years ago
|
||
The issue appears to be that the script handle has not been initialized as the compiler ran out of memory while compiling. Checking the handle is valid first before accessing the contents fixes this.
Attachment #628957 -
Flags: review?(bhackett1024)
Updated•13 years ago
|
Attachment #628957 -
Flags: review?(bhackett1024) → review+
Whiteboard: js-triage-needed → js-triage-needed, [checkin-needed]
![]() |
||
Comment 3•13 years ago
|
||
Whiteboard: js-triage-needed, [checkin-needed] → js-triage-done
Target Milestone: --- → mozilla15
Comment 4•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•