Closed Bug 708228 Opened 13 years ago Closed 13 years ago

Infinite recursion crash [@ regexp_trace] with incremental GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: billm)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

fix
1.03 KB, patch
cdleary
: review+
Details | Diff | Splinter Review 
The following test crashes on mozilla-central revision fafaf614791f (no options required):


gczeal(4);
var g_rx = /(?:)/;
(3).replace(g_rx.compile("test", "g"), {});


The crash is an infinite recursion with the following repeating part:

#88 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#89 0x0000000000443bb2 in JSObject::privateWriteBarrierPre (this=0x7ffff60088e0, old=0x7ffff6008938) at ../jsobjinlines.h:2114
#90 0x000000000044302f in JSObject::setPrivate (this=0x7ffff60088e0, data=0x0) at ../jsobjinlines.h:113
#91 0x000000000065bb0b in js::RegExpObject::setPrivate (this=0x7ffff60088e0, rep=0x0) at ../vm/RegExpObject-inl.h:119
#92 0x000000000065bb59 in js::RegExpObject::purge (this=0x7ffff60088e0, cx=0xb2b930) at ../vm/RegExpObject-inl.h:157
#93 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
https://hg.mozilla.org/projects/larch/rev/6c62c0967631
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
This crash is on mozilla-central and not on larch only. Please merge to m-c and then mark as fixed again.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch fixSplinter Review 
The problem was that we were calling purge when tracing through a regular expression from a write barrier. This seems bad. It does mean that during incremental GC we may fail to purge some regular expressions. This should be rare. I think that's okay, right Chris?
Attachment #581709 - Flags: review?(christopher.leary)
Comment on attachment 581709 [details] [diff] [review]
fix

Review of attachment 581709 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, that's ok: nothing depends on the fact that privates get purged from objects each GC.
Attachment #581709 - Flags: review?(christopher.leary) → review+
https://hg.mozilla.org/mozilla-central/rev/d96b15c1645b
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708228.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: