Closed
Bug 283064
Opened 19 years ago
Closed 19 years ago
Crash on second run of testcase in URL
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: mrbkap, Assigned: brendan)
References
()
Details
(Keywords: crash, js1.5)
Attachments
(2 files)
2.15 KB,
text/plain
|
Details | |
2.00 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
When running the testcase in the URL in a js shell (MSVC debugger, -S 524288),
it runs to completion for one iteration, but a subsequent run crashes in
js_FinalizeObject.
Stack trace:
> js32.dll!js_FinalizeObject(JSContext * cx=0x00032610, JSObject *
obj=0x004338a8) Line 2061 + 0x60 C
js32.dll!js_GC(JSContext * cx=0x00032610, unsigned int gcflags=0) Line 1808
+ 0xb C
js32.dll!js_ForceGC(JSContext * cx=0x00032610, unsigned int gcflags=0) Line
1482 + 0xd C
js32.dll!JS_GC(JSContext * cx=0x00032610) Line 1752 + 0xb C
js.exe!GC(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, unsigned int
argc=0, long * argv=0x00453164, long * rval=0x0013db64) Line 757 + 0xa C
js32.dll!js_Invoke(JSContext * cx=0x00032610, unsigned int argc=0, unsigned
int flags=0) Line 1293 + 0x20 C
js32.dll!js_Interpret(JSContext * cx=0x00032610, unsigned char *
pc=0x012c7f82, long * result=0x0013e42c) Line 3563 + 0xf C
js32.dll!js_Execute(JSContext * cx=0x00032610, JSObject * chain=0x000387a8,
JSScript * script=0x012c7e90, JSStackFrame * down=0x00000000, unsigned int
flags=0, long * result=0x0013e4c4) Line 1523 + 0x13 C
js32.dll!JS_ExecuteScript(JSContext * cx=0x00032610, JSObject *
obj=0x000387a8, JSScript * script=0x012c7e90, long * rval=0x0013e4c4) Line
3630 + 0x19 C
js.exe!Process(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, char *
filename=0x00000000) Line 385 + 0x16 C
js.exe!ProcessArgs(JSContext * cx=0x00032610, JSObject * obj=0x000387a8, char *
* argv=0x00032514, int argc=2) Line 573 + 0x11 C
js.exe!main(int argc=2, char * * argv=0x00032514, char * * envp=0x00032cf0)
Line 2493 + 0x15 C
js.exe!mainCRTStartup() Line 398 + 0xe C
Comment 1•19 years ago
|
||
Note that you can run individual tests in the browser without having to go through the menu via: <http://bclary.com/2004/10/03/js-tests/js-test-driver-quirks.html?test=js1_5/Regress/regress-203278-3.js;language=javascript>
Comment 2•19 years ago
|
||
*** Bug 283439 has been marked as a duplicate of this bug. ***
Comment 3•19 years ago
|
||
The shell built from CVS tip crashes on the script consisting of the single call to gc() as long as DeutschSchorrWaite is called: gc();~/w/js/mozilla/js/src> cat ~/s/x2.js gc(); ~/w/js/mozilla/js/src> ~/w/js/mozilla/js/src/Linux_All_DBG.OBJ/js -S 6000 ~/s/x2.js before 2223, after 2205, break 096e2000 Segmentation fault
Assignee | ||
Updated•19 years ago
|
Assignee | ||
Comment 4•19 years ago
|
||
Igor, what's the stack? Have you clobbered before rebuilding the shell, after updating possibly incompatible header file (struct size and/or member offset) changes? The shell build crap has no dependency automation. /be
Status: NEW → ASSIGNED
Comment 5•19 years ago
|
||
(In reply to comment #4) > Have you clobbered before rebuilding the shell, after > updating possibly incompatible header file (struct size and/or member offset) > changes? The shell build crap has no dependency automation. This is a fresh build from the current CVS head as is after removing manually Linux_All_DBG.OBJ just to be sure. The system is FedoraCore-3 with all updates applied: ~> cat /proc/version Linux version 2.6.10-1.766_FC3 (bhcompile@bugs.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3)) #1 Wed Feb 9 23:06:42 EST 2005 ~> gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.2/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.2 20041017 (Red Hat 3.4.2-6.fc3) After the compilation I run: ~/w/js/mozilla/js/src> ~/w/js/mozilla/js/src/Linux_All_DBG.OBJ/js -S 6000 ~/s/x2.js before 2367, after 2349, break 0838b000 Segmentation fault where x2.js contains just the line gc();
Comment 6•19 years ago
|
||
Comment 7•19 years ago
|
||
The binary search revealed that the bug happens between cvs upd -D 2005-01-05 (no seg fault) cvs upd -D 2005-01-06 (seg fault) That points to: ---------------------------- revision 3.87 date: 2005/01/05 06:15:03; author: brendan%mozilla.org; state: Exp; lines: +2 72 -159 Revamp the GC to fix E4X private data dueling GC bugs, to reduce malloc costs fo r small-ish objects and functions, and to pave the way for further GC wins (1236 68, r=shaver, TAKE 2). ---------------------------- revision 3.86 date: 2005/01/05 03:58:19; author: brendan%mozilla.org; state: Exp; lines: +1 53 -264 Back out, broke liveconnect at least. ---------------------------- revision 3.85 date: 2005/01/05 02:56:36; author: brendan%mozilla.org; state: Exp; lines: +2 64 -153 Revamp the GC to fix E4X private data dueling GC bugs, to reduce malloc costs fo r small-ish objects and functions, and to pave the way for further GC wins (1236 68, r=shaver).
Priority: P1 → --
Target Milestone: mozilla1.8beta2 → ---
Comment 8•19 years ago
|
||
AFAICS the reason for the bug is that DeutschSchorrWaite never marks small slot arrays that cause cause their deallocation. The patch simply duplicates /* Mark slots if they are small enough to be GC-allocated. */ if ((vp[-1] + 1) * sizeof(jsval) <= GC_NBYTES_MAX) GC_MARK(cx, vp - 1, "slots", NULL); from in DeutschSchorrWaite in MARK_GC_THING and changes its place in MARK_GC_THING to avoid double calls to GC_MARK.
Assignee | ||
Comment 9•19 years ago
|
||
Comment on attachment 175654 [details] [diff] [review] Fix: marking small slots in DeutschSchorrWaite Thanks, Igor! r=me, sorry I didn't get to this (too much to do yesterday with 1.0.1 and meetings). /be
Attachment #175654 -
Flags: review+
Assignee | ||
Comment 10•19 years ago
|
||
Fixed, thanks again. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•