Closed
Bug 1161605
Opened 10 years ago
Closed 10 years ago
Poisonned value after one call to js::jit::SetPropertyIC::update.
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
INVALID
People
(Reporter: nbp, Unassigned)
References
Details
With the latest patch from Bug 923717 and Bug 1161584, I noticed that there is a rooting issue which is probably related to SetPropertyIC::update.
Running the following test case with JIT_OPTION_forceInlineCaches=true, and the --baseline-eager ,
var x = gc;
var obj = {};
for (var i = 0; i != 16 * 1024; ++i)
obj.a = function f() { };
x();
cause a crash in the explicit call to the gc:
(gdb) bt
#0 js::ObjectGroup::compartment (this=0x2b2b2b2b2b2b2b2b) at /home/nicolas/mozilla/wksp-5-dev/js/src/shell/../vm/ObjectGroup.h:220
#1 0x0000000000466f6d in JSObject::compartment (this=(const JSObject *) 0x7fffee901900 Cannot access memory at address 0x2b2b2b2b2b2b2b2b) at /home/nicolas/mozilla/wksp-5-dev/js/src/shell/../jsobj.h:159
#2 0x000000000073a467 in js::GCMarker::processMarkStackTop (this=0x15e3738, budget=...) at /home/nicolas/mozilla/wksp-5-dev/js/src/gc/Marking.cpp:1166
#3 0x00000000007083e1 in js::GCMarker::drainMarkStack (this=0x15e3738, budget=...) at /home/nicolas/mozilla/wksp-5-dev/js/src/gc/Marking.cpp:1063
#4 0x0000000000eea5ce in js::gc::GCRuntime::drainMarkStack (this=0x15db8c8, sliceBudget=..., phase=js::gcstats::PHASE_MARK) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:5098
#5 0x0000000000eed5c8 in js::gc::GCRuntime::incrementalCollectSlice (this=0x15db8c8, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:5793
#6 0x0000000000eedf85 in js::gc::GCRuntime::gcCycle (this=0x15db8c8, incremental=false, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6014
#7 0x0000000000eee76a in js::gc::GCRuntime::collect (this=0x15db8c8, incremental=false, budget=..., reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6126
#8 0x0000000000ee2290 in js::gc::GCRuntime::gc (this=0x15db8c8, gckind=GC_NORMAL, reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:6187
#9 0x0000000000ef1b26 in JS::GCForReason (rt=0x15db580, gckind=GC_NORMAL, reason=JS::gcreason::API) at /home/nicolas/mozilla/wksp-5-dev/js/src/jsgc.cpp:7016
#10 0x00000000005dea86 in GC (cx=0x16038b0, argc=0, vp=0x7fffffffb348) at /home/nicolas/mozilla/wksp-5-dev/js/src/builtin/TestingFunctions.cpp:264
Reporter | ||
Comment 1•10 years ago
|
||
This was an issue with Bug 923717 patch.
Thanks Jon for the pointer to the post-barrier :)
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Updated•10 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•