Closed Bug 756629 Opened 8 years ago Closed 8 years ago

IonMonkey: OOM Testing: Assertion failure: unknown frame type, at js/src/ion/IonFrames-inl.h:77 or Crash [@ js::ion::IonCommonFrameLayout::prevFrameLocalSize]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 756615

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:dupe 756615])

The following command asserts on ionmonkey revision 8c54899dae82 (dbg build):

js  -e 'const libdir = "js/src/jit-test/lib/";' -A 114118 -f js/src/jit-test/tests/sunspider/check-crypto-aes.js
Bad looking crash after stepping through the assertion:


Program received signal SIGSEGV, Segmentation fault.
0x00000000007fcbe4 in js::ion::IonCommonFrameLayout::prevFrameLocalSize (this=0x200800ffffe9221) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:70
        in /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h
#0  0x00000000007fcbe4 in js::ion::IonCommonFrameLayout::prevFrameLocalSize (this=0x200800ffffe9221) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/shared/IonFrames-x86-shared.h:70
#1  0x00000000007fd059 in js::ion::IonFrameIterator::prevFrameLocalSize (this=0x7fffffffbcc8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames-inl.h:99
#2  0x00000000007fd8dc in js::ion::IonFrameIterator::operator++ (this=0x7fffffffbcc8) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/ion/IonFrames.cpp:265
#3  0x000000000066cc1b in js::StackIter::settleOnNewState (this=0x7fffffffbc60) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1192
#4  0x000000000066d2b5 in js::StackIter::StackIter (this=0x7fffffffbc60, cx=0xda05e0, savedOption=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.cpp:1295
#5  0x0000000000406e4c in js::ScriptFrameIter::ScriptFrameIter (this=0x7fffffffbc60, cx=0xda05e0, opt=js::StackIter::STOP_AT_SAVED) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/vm/Stack.h:1938
#6  0x0000000000482da0 in PopulateReportBlame (cx=0xda05e0, report=0x7fffffffc010) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:376
#7  0x0000000000482f08 in js_ReportOutOfMemory (cx=0xda05e0) at /tmp/abc-8c54899dae82-tNQ40M/compilePath/js/src/jscntxt.cpp:409
=> 0x7fcbe4 <js::ion::IonCommonFrameLayout::prevFrameLocalSize() const+12>:     mov    0x8(%rax),%rax
rax            0x200800ffffe9221        144255994283594273
Still valid with ballast patch, new -A value for revision 88ea2e529609 is 45994.
Dup of bug 756615 (accessing invalid stack values after OOM'ing under ConvertFrames).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 756615
Whiteboard: [sg:dupe 756615]
Group: core-security
You need to log in before you can comment on or make changes to this bug.