Closed Bug 283064 Opened 19 years ago Closed 19 years ago

Crash on second run of testcase in URL

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: mrbkap, Assigned: brendan)

References

()

Details

(Keywords: crash, js1.5)

Attachments

(2 files)

When running the testcase in the URL in a js shell (MSVC debugger, -S 524288),
it runs to completion for one iteration, but a subsequent run crashes in
js_FinalizeObject.

Stack trace:
>	js32.dll!js_FinalizeObject(JSContext * cx=0x00032610, JSObject *
obj=0x004338a8)  Line 2061 + 0x60	C
 	js32.dll!js_GC(JSContext * cx=0x00032610, unsigned int gcflags=0)  Line 1808
+ 0xb	C
 	js32.dll!js_ForceGC(JSContext * cx=0x00032610, unsigned int gcflags=0)  Line
1482 + 0xd	C
 	js32.dll!JS_GC(JSContext * cx=0x00032610)  Line 1752 + 0xb	C
 	js.exe!GC(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, unsigned int
argc=0, long * argv=0x00453164, long * rval=0x0013db64)  Line 757 + 0xa	C
 	js32.dll!js_Invoke(JSContext * cx=0x00032610, unsigned int argc=0, unsigned
int flags=0)  Line 1293 + 0x20	C
 	js32.dll!js_Interpret(JSContext * cx=0x00032610, unsigned char *
pc=0x012c7f82, long * result=0x0013e42c)  Line 3563 + 0xf	C
 	js32.dll!js_Execute(JSContext * cx=0x00032610, JSObject * chain=0x000387a8,
JSScript * script=0x012c7e90, JSStackFrame * down=0x00000000, unsigned int
flags=0, long * result=0x0013e4c4)  Line 1523 + 0x13	C
 	js32.dll!JS_ExecuteScript(JSContext * cx=0x00032610, JSObject *
obj=0x000387a8, JSScript * script=0x012c7e90, long * rval=0x0013e4c4)  Line
3630 + 0x19	C
 	js.exe!Process(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, char *
filename=0x00000000)  Line 385 + 0x16	C
	js.exe!ProcessArgs(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, char *
* argv=0x00032514, int argc=2)  Line 573 + 0x11	C
 	js.exe!main(int argc=2, char * * argv=0x00032514, char * * envp=0x00032cf0) 
Line 2493 + 0x15	C
 	js.exe!mainCRTStartup()  Line 398 + 0xe	C
Note that you can run individual tests in the browser without having to go
through the menu via:

<http://bclary.com/2004/10/03/js-tests/js-test-driver-quirks.html?test=js1_5/Regress/regress-203278-3.js;language=javascript>
*** Bug 283439 has been marked as a duplicate of this bug. ***
The shell built from CVS tip crashes on the script consisting of the single call
to gc() as long as DeutschSchorrWaite is called:

gc();~/w/js/mozilla/js/src> cat ~/s/x2.js 
gc();
~/w/js/mozilla/js/src> ~/w/js/mozilla/js/src/Linux_All_DBG.OBJ/js -S 6000  ~/s/x2.js
before 2223, after 2205, break 096e2000
Segmentation fault

Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta2
Igor, what's the stack?  Have you clobbered before rebuilding the shell, after
updating possibly incompatible header file (struct size and/or member offset)
changes?  The shell build crap has no dependency automation.

/be
Status: NEW → ASSIGNED
(In reply to comment #4)
> Have you clobbered before rebuilding the shell, after
> updating possibly incompatible header file (struct size and/or member offset)
> changes?  The shell build crap has no dependency automation.

This is a fresh build from the current CVS head as is after removing manually
Linux_All_DBG.OBJ just to be sure. The system is FedoraCore-3 with all updates
applied:

~> cat /proc/version
Linux version 2.6.10-1.766_FC3 (bhcompile@bugs.build.redhat.com) (gcc version
3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Wed Feb 9 23:06:42 EST 2005

~> gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux
Thread model: posix
gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)


After the compilation I run:

~/w/js/mozilla/js/src> ~/w/js/mozilla/js/src/Linux_All_DBG.OBJ/js -S 6000  ~/s/x2.js
before 2367, after 2349, break 0838b000
Segmentation fault

where x2.js contains just the line
gc();
Attached file GDB stack trace
The binary search revealed that the bug happens between

 cvs upd -D 2005-01-05 (no seg fault)
 cvs upd -D 2005-01-06 (seg fault)
 
That points to:

----------------------------
revision 3.87
date: 2005/01/05 06:15:03;  author: brendan%mozilla.org;  state: Exp;  lines: +2
72 -159
Revamp the GC to fix E4X private data dueling GC bugs, to reduce malloc costs fo
r small-ish objects and functions, and to pave the way for further GC wins (1236
68, r=shaver, TAKE 2).
----------------------------
revision 3.86
date: 2005/01/05 03:58:19;  author: brendan%mozilla.org;  state: Exp;  lines: +1
53 -264
Back out, broke liveconnect at least.
----------------------------
revision 3.85
date: 2005/01/05 02:56:36;  author: brendan%mozilla.org;  state: Exp;  lines: +2
64 -153
Revamp the GC to fix E4X private data dueling GC bugs, to reduce malloc costs fo
r small-ish objects and functions, and to pave the way for further GC wins (1236
68, r=shaver).
Priority: P1 → --
Target Milestone: mozilla1.8beta2 → ---
AFAICS the reason for the bug is that DeutschSchorrWaite never marks small slot
arrays that cause cause their deallocation. The patch simply duplicates 

    /* Mark slots if they are small enough to be GC-allocated. */
    if ((vp[-1] + 1) * sizeof(jsval) <= GC_NBYTES_MAX)
	GC_MARK(cx, vp - 1, "slots", NULL);

from in DeutschSchorrWaite in MARK_GC_THING and changes its place in
MARK_GC_THING to avoid double calls to GC_MARK.
Comment on attachment 175654 [details] [diff] [review]
Fix: marking small slots in DeutschSchorrWaite

Thanks, Igor!  r=me, sorry I didn't get to this (too much to do yesterday with
1.0.1 and meetings).

/be
Attachment #175654 - Flags: review+
Fixed, thanks again.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
verified fixed in winxp.
Status: RESOLVED → VERIFIED
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: