Closed
Bug 992264
Opened 10 years ago
Closed 10 years ago
Assertion failure: (ss->adjustDataSize(compressedLength)), at jsscript.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 993965
People
(Reporter: h4writer, Unassigned)
Details
js -e oomAfterAllocations\(73\) -f ./tests/shell.js -f ./tests/js1_7/geniter/shell.js -f ./tests/js1_7/geniter/regress-349331.js Assertion failure: (ss->adjustDataSize(compressedLength)), at /home/h4writer/Build/mozilla-inbound/js/src/jsscript.cpp:1693 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb59fdb40 (LWP 10424)] 0x08495f23 in js::SourceCompressionTask::work (this=0xbfffda34) at /home/h4writer/Build/mozilla-inbound/js/src/jsscript.cpp:1693 1693 JS_ALWAYS_TRUE(ss->adjustDataSize(compressedLength)); ss->compressedLength_ before was 0 compressedLength is 9307 In https://hg.mozilla.org/integration/mozilla-inbound/rev/1c27fd77dbaa this path was adjusted, with the comment "// Shrink the buffer to the size of the compressed data. Shouldn't fail.". Apparently we also hit this case for increasing the buffer size. And we are failing here!
Reporter | ||
Comment 1•10 years ago
|
||
Adding Benjamin since he removed the relevant memory check.
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
Flags: needinfo?(benjamin)
Comment 2•10 years ago
|
||
Clearly if you force the allocation to fail, it won't be true that it never fails. :) I don't think the buffer size is actually increasing. ss->compressedLength_ just isn't set yet.
Flags: needinfo?(benjamin)
Updated•10 years ago
|
Summary: Assertion failure → Assertion failure: (ss->adjustDataSize(compressedLength)), at jsscript.cpp
Reporter | ||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•