Last Comment Bug 914598 - Crash [@ js::jit::ICFallbackStub::addNewStub] with OOM
: Crash [@ js::jit::ICFallbackStub::addNewStub] with OOM
Status: RESOLVED DUPLICATE of bug 948233
[jsbugmon:]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: ---
Assigned To: general
: general
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928 872823
  Show dependency treegraph
 
Reported: 2013-09-10 05:51 PDT by Christian Holler (:decoder)
Modified: 2013-12-11 08:18 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
[crash-signature] Machine-readable crash signature (302 bytes, text/plain)
2013-09-10 05:54 PDT, Christian Holler (:decoder)
no flags Details

Description User image Christian Holler (:decoder) 2013-09-10 05:51:28 PDT
The following testcase crashes on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe --ion-eager):


function test() {
oomAfterAllocations(2);
undefined <= 3;
} test();
Comment 1 User image Christian Holler (:decoder) 2013-09-10 05:54:55 PDT
Created attachment 802264 [details]
[crash-signature] Machine-readable crash signature
Comment 2 User image Christian Holler (:decoder) 2013-09-10 08:32:55 PDT
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 1.649 seconds to run.
Comment 3 User image Christian Holler (:decoder) 2013-12-10 17:32:39 PST
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3ea3d3baa67b).
Comment 4 User image Christian Holler (:decoder) 2013-12-11 08:16:18 PST
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/908680cb2773
parent:      159651:80d1a749ea68
user:        Christian Holler
date:        Tue Dec 10 12:24:06 2013 +0100
summary:     Bug 948233 - Fix an OOM issue in DoCompareFallback. r=jandem

This iteration took 345.454 seconds to run.
Comment 5 User image Christian Holler (:decoder) 2013-12-11 08:18:16 PST

*** This bug has been marked as a duplicate of bug 948233 ***

Note You need to log in before you can comment on or make changes to this bug.