992264 - Assertion failure: (ss->adjustDataSize(compressedLength)), at jsscript.cpp

Status: RESOLVED DUPLICATE of bug 993965

(Core :: JavaScript Engine, defect)

Description

[Hannes Verschore [:h4writer]]

js -e oomAfterAllocations\(73\) -f ./tests/shell.js -f ./tests/js1_7/geniter/shell.js -f ./tests/js1_7/geniter/regress-349331.js

Assertion failure: (ss->adjustDataSize(compressedLength)), at /home/h4writer/Build/mozilla-inbound/js/src/jsscript.cpp:1693

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb59fdb40 (LWP 10424)]
0x08495f23 in js::SourceCompressionTask::work (this=0xbfffda34) at /home/h4writer/Build/mozilla-inbound/js/src/jsscript.cpp:1693
1693            JS_ALWAYS_TRUE(ss->adjustDataSize(compressedLength));

ss->compressedLength_ before was 0
compressedLength is 9307

In https://hg.mozilla.org/integration/mozilla-inbound/rev/1c27fd77dbaa this path was adjusted, with the comment "// Shrink the buffer to the size of the compressed data. Shouldn't fail.". Apparently we also hit this case for increasing the buffer size. And we are failing here!

Comment 1

[Hannes Verschore [:h4writer]]

Adding Benjamin since he removed the relevant memory check.

Comment 2

[:Benjamin Peterson]

Clearly if you force the allocation to fail, it won't be true that it never fails. :) I don't think the buffer size is actually increasing. ss->compressedLength_ just isn't set yet.