Closed
Bug 756629
Opened 13 years ago
Closed 13 years ago
IonMonkey: OOM Testing: Assertion failure: unknown frame type, at js/src/ion/IonFrames-inl.h:77 or Crash [@ js::ion::IonCommonFrameLayout::prevFrameLocalSize]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 756615
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:dupe 756615])
The following command asserts on ionmonkey revision 8c54899dae82 (dbg build):
js -e 'const libdir = "js/src/jit-test/lib/";' -A 114118 -f js/src/jit-test/tests/sunspider/check-crypto-aes.js
|
Reporter | |
Comment 1•13 years ago
|
||
Bad looking crash after stepping through the assertion:
Program received signal SIGSEGV, Segmentation fault.
0x00000000007fcbe4 in js::ion::IonCommonFrameLayout::prevFrameLocalSize (this=0x200800ffffe9221) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:70
in /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h
#0 0x00000000007fcbe4 in js::ion::IonCommonFrameLayout::prevFrameLocalSize (this=0x200800ffffe9221) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:70
#1 0x00000000007fd059 in js::ion::IonFrameIterator::prevFrameLocalSize (this=0x7fffffffbcc8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames-inl.h:99
#2 0x00000000007fd8dc in js::ion::IonFrameIterator::operator++ (this=0x7fffffffbcc8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:265
#3 0x000000000066cc1b in js::StackIter::settleOnNewState (this=0x7fffffffbc60) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1192
#4 0x000000000066d2b5 in js::StackIter::StackIter (this=0x7fffffffbc60, cx=0xda05e0, savedOption=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1295
#5 0x0000000000406e4c in js::ScriptFrameIter::ScriptFrameIter (this=0x7fffffffbc60, cx=0xda05e0, opt=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.h:1938
#6 0x0000000000482da0 in PopulateReportBlame (cx=0xda05e0, report=0x7fffffffc010) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:376
#7 0x0000000000482f08 in js_ReportOutOfMemory (cx=0xda05e0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:409
=> 0x7fcbe4 <js::ion::IonCommonFrameLayout::prevFrameLocalSize() const+12>: mov 0x8(%rax),%rax
rax 0x200800ffffe9221 144255994283594273
|
|
Reporter | |
Comment 2•13 years ago
|
||
Still valid with ballast patch, new -A value for revision 88ea2e529609 is 45994.
|
||
Comment 3•13 years ago
|
||
Dup of bug 756615 (accessing invalid stack values after OOM'ing under ConvertFrames).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•13 years ago
|
Whiteboard: [sg:dupe 756615]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•