Closed
Bug 331786
Opened 18 years ago
Closed 18 years ago
WAY_TOO_MUCH_GC crash in regress-290499.js
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dbaron, Assigned: dbaron)
References
()
Details
(Keywords: crash, verified1.8.0.4, verified1.8.1)
Attachments
(1 file, 1 obsolete file)
|
1.13 KB,
patch
|
brendan
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
I'm seeing a crash on the test http://lxr.mozilla.org/mozilla/source/js/tests/e4x/Regress/regress-290499.js with WAY_TOO_MUCH_GC defined. I don't completely understand what's going on. We crash in an invalid free, freeing obj->slots for what looks, based on allocation traces at least, like obj itself hasn't been incorrectly deallocated or reused from another incorrect deallocation. But obj->slots doesn't match the slots allocated immediately after obj was, and those slots do look prematurely deallocated. That doesn't explain the bogus obj->slots, but it could be related. In any case, the order of events is: #1: js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:743) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2021) js_NewFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2048) js_DefineFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2116) js_InitXMLClass (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7490) JS_ResolveStandardClass (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:1423) BackstagePass::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) (/home/dbaron/builds/tXPC_WN_Helper_NewResolve (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1061) js_LookupPropertyWithFlags (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2780) js_FindConstructor (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2130) js_GetClassPrototype (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:3926) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2000) NewXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7347) js_GetXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7382) ToXMLList (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:2166) js_Interpret (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:5549) js_Execute (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:1497) JS_ExecuteScript (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:4030) ProcessFile (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:595) ProcessArgs (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:793) main (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:1108) #2: js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:743) AllocSlots (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:1936) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2073) js_NewFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2048) js_DefineFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2116) js_InitXMLClass (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7490) JS_ResolveStandardClass (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:1423) BackstagePass::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) (/home/dbaron/builds/tXPC_WN_Helper_NewResolve (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1061) js_LookupPropertyWithFlags (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2780) js_FindConstructor (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2130) js_GetClassPrototype (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:3926) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2000) NewXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7347) js_GetXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7382) ToXMLList (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:2166) js_Interpret (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:5549) js_Execute (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:1497) JS_ExecuteScript (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:4030) ProcessFile (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:595) ProcessArgs (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:793) main (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:1108) #3 (frees slots allocated at #2) js_GC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:2148) js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:668) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2021) NewXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7347) js_GetXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7382) ToXMLList (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:2166) js_Interpret (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:5549) js_Execute (/home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:1497) JS_ExecuteScript (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:4030) ProcessFile (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:595) ProcessArgs (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:793) main (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:1108) #4: frees obj allocated at #1, with bogus slots pointer not the one allocated at #2, and thus crashes: js_GC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:2148) js_ForceGC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:1779) main (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:1111)
|
Assignee | |
Comment 1•18 years ago
|
||
(In reply to comment #0) > or reused from another incorrect deallocation. But obj->slots doesn't match > the slots allocated immediately after obj was, and those slots do look > prematurely deallocated. That doesn't explain the bogus obj->slots, but it > could be related. That's probably just because it grew, now that I think of it...
|
|
Assignee | |
Updated•18 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
|
|
Assignee | |
Comment 2•18 years ago
|
||
So I wasn't subtracting a word from the obj->slots pointer before correlating it with my log. Doing that makes things make much more sense. I think the problem is something that was allocated and incorrectly freed being reused as the obj->slots for this object and then written to by its previous owner. The bad allocation and deallocation are: js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:743) js_NewXML (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7221) js_NewXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7336) ToXMLList (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:2166) js_GC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:2148) js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:668) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2021) js_NewFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2048) js_DefineFunction (/home/dbaron/builds/trunk/mozilla/js/src/jsfun.c:2116) js_InitXMLClass (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7490) JS_ResolveStandardClass (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:1423) BackstagePass::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) (/home/dbaron/builds/tXPC_WN_Helper_NewResolve (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1061) js_LookupPropertyWithFlags (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2781) js_FindConstructor (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2130) js_GetClassPrototype (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:3927) js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2000) NewXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7347) js_GetXMLObject (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:7382) ToXMLList (/home/dbaron/builds/trunk/mozilla/js/src/jsxml.c:2166)
|
|
Assignee | |
Comment 3•18 years ago
|
||
This fixes it; I'm sure brendan won't like the comment style, at a minimum.
Attachment #216460 -
Flags: review?(brendan)
|
||
Comment 4•18 years ago
|
||
Comment on attachment 216460 [details] [diff] [review] patch Just lose the comment, and we'll make a followup pass to add a (single) comment to jscntxt.h, plus a (jsval) cast in the JS_PUSH_SINGLE_TEMP_ROOT macro. /be
Attachment #216460 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 5•18 years ago
|
||
Assignee: general → dbaron
Attachment #216460 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #216471 -
Flags: approval1.8.0.3?
Attachment #216471 -
Flags: approval-branch-1.8.1?(brendan)
|
|
Assignee | |
Comment 6•18 years ago
|
||
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 216471 [details] [diff] [review] patch Sure, 1.8 branch too please. /be
Attachment #216471 -
Flags: approval-branch-1.8.1?(brendan) → approval-branch-1.8.1+
|
||
Updated•18 years ago
|
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+
|
|
||
Comment 9•18 years ago
|
||
Comment on attachment 216471 [details] [diff] [review] patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216471 -
Flags: approval1.8.0.3? → approval1.8.0.3+
|
||
Comment 11•18 years ago
|
||
dbaron, does this no longer crash. I'm not certain how to test this. if it's good for you, please verify it, thanks.
|
||
Comment 12•18 years ago
|
||
1.5.0.4 debug WAY_TOO_MUCH_GC Windows:, browser known crash in js_HashString not related to the original stack, no crash in shell. Linux: no crash in browser or shell
Keywords: fixed1.8.0.4 → verified1.8.0.4
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+
|
|
||
Comment 13•18 years ago
|
||
verified fixed 1.8, 1.9 20060807 linux no crash.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•