Last Comment Bug 930526 - Assertion failure: obj, at dist/include/js/Value.h:527 with OOM
: Assertion failure: obj, at dist/include/js/Value.h:527 with OOM
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla28
Assigned To: Terrence Cole [:terrence]
: general
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2013-10-24 06:56 PDT by Christian Holler (:decoder)
Modified: 2014-02-05 05:36 PST (History)
6 users (show)
terrence.d.cole: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
[crash-signature] Machine-readable crash signature (806 bytes, text/plain)
2013-10-24 07:01 PDT, Christian Holler (:decoder)
no flags Details
[crash-signature] Machine-readable crash signature (811 bytes, text/plain)
2013-10-29 05:58 PDT, Christian Holler (:decoder)
no flags Details
missing_check_in_InitTypedObjectClass-v0.diff (1.09 KB, patch)
2013-11-05 10:24 PST, Terrence Cole [:terrence]
nmatsakis: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature (789 bytes, text/plain)
2013-11-05 16:24 PST, Christian Holler (:decoder)
no flags Details

Description User image Christian Holler (:decoder) 2013-10-24 06:56:34 PDT
The following testcase asserts on mozilla-central revision 19fd3388c372 (run with --fuzzing-safe --ion-eager --ion-eager --ion-check-range-analysis):


oomAfterAllocations(1);
var uint32 = TypedObject.uint32;
Comment 1 User image Christian Holler (:decoder) 2013-10-24 07:01:46 PDT
Created attachment 821680 [details]
[crash-signature] Machine-readable crash signature
Comment 2 User image Christian Holler (:decoder) 2013-10-29 05:58:26 PDT
Created attachment 823972 [details]
[crash-signature] Machine-readable crash signature
Comment 3 User image Terrence Cole [:terrence] 2013-11-05 10:24:34 PST
Created attachment 827516 [details] [diff] [review]
missing_check_in_InitTypedObjectClass-v0.diff

Trivial. Not really worth the overhead of a test here.
Comment 4 User image Christian Holler (:decoder) 2013-11-05 16:24:43 PST
Created attachment 827703 [details]
[crash-signature] Machine-readable crash signature
Comment 5 User image Terrence Cole [:terrence] 2013-11-06 11:42:52 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/abe5f544e06a
Comment 6 User image Wes Kocher (:KWierso) 2013-11-06 18:13:45 PST
https://hg.mozilla.org/mozilla-central/rev/abe5f544e06a
Comment 7 User image Ioana (away) 2014-02-05 05:36:44 PST
Tested with the 11/01 and 02/04 Firefox 28 JS shells on Ubuntu 13.04 x86. I got the same results with both shells (although the 11/01 one is supposed to reproduce the assertion):
"out of memory
out of memory".

Note You need to log in before you can comment on or make changes to this bug.