Closed
Bug 393874
Opened 17 years ago
Closed 16 years ago
Hang [@ js_MinimizeDependentStrings] with gczeal, e4x comment
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.9
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: hang, testcase)
Attachments
(2 files, 1 obsolete file)
2.38 KB,
patch
|
igor
:
review+
beltzner
:
approval1.9b4-
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
2.12 KB,
text/plain
|
Details |
This hangs the JS shell: gczeal(2); void <b><x/><!----></b>;
Comment 1•17 years ago
|
||
We get 100 frames deep and then hang in the loop on jsstr.c:91 Looking at this now, unless anyone else sees it instantly.
Assignee: general → crowder
Reporter | ||
Updated•17 years ago
|
Severity: normal → critical
Reporter | ||
Comment 2•17 years ago
|
||
Still happens on trunk. Brian, did you figure this out? I'd like to at least know whether it's a GC hazard / potential memory safety bug.
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.9?
Comment 3•17 years ago
|
||
No, I didn't make much progress on it and don't have much time to spend on it at the moment. Someone else should own.
Assignee: crowder → general
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9-
Comment 5•17 years ago
|
||
I can not reproduce the bug on Linux with the current tip. Neither pasting the command directly into the shell or via executing through a file causes any hangs.
Assignee | ||
Comment 6•17 years ago
|
||
This is sort of a GC hazard. In FoldXMLConstants we pass an unrooted |left| to js_ConcatStrings. |left| in this case is a flat string, so we set |ldep = left| and realloc its buffer. Then, we call js_NewString to create a new string to return. Because of |gczeal(2)|, we GC the string pointed to by |left| and |ldep|. Now, js_NewGCThing runs and returns the first thing on its freelist, which happens to be the string formerly known as |left| and still known as |ldep|. Here's the problem: (gdb) p str $53 = (JSString *) 0x41c598 (gdb) p ldep $54 = (JSString *) 0x41c598 The |JSPREFIX_INIT(ldep, str, ln)| on line 180 in jsstr.c is now setting both |str| and |ldep| to look like dependent strings.
Assignee | ||
Comment 7•17 years ago
|
||
This prevents |ldep| from being collected so that |str| cannot alias it.
Comment 8•17 years ago
|
||
(In reply to comment #7) > Created an attachment (id=298132) [details] > Possible fix > > This prevents |ldep| from being collected so that |str| cannot alias it. I do not think this is a good fix. There is no GC hazard with js_ConcatString unless one supplies an unrooted left or right arguments. Which points to FoldXMLConstants, that concatenates strings without rooting them (which I should have seen long time ago). That is, FoldXMLConstants does not root accum assuming that weak rooting works. But it does not as TOK_XMLCOMMENT or TOK_XMLCDATA will displace accum from the newborn root and than later call js_ConcatStrings(cx, accuum, str) with the unrooted accum.
Comment 9•17 years ago
|
||
Right, js_ConcatStrings should be fast. Its callers are obligated to root inputs. /be
Updated•16 years ago
|
Attachment #298132 -
Flags: review?(igor)
Assignee | ||
Comment 11•16 years ago
|
||
I don't know where to target this to... Guessing.
Priority: -- → P2
Target Milestone: --- → mozilla1.9beta4
Assignee | ||
Comment 12•16 years ago
|
||
Attachment #298132 -
Attachment is obsolete: true
Attachment #306789 -
Flags: review?(igor)
Updated•16 years ago
|
Attachment #306789 -
Flags: review?(igor) → review+
Assignee | ||
Comment 13•16 years ago
|
||
Comment on attachment 306789 [details] [diff] [review] Better fix This patch fixes a GC hazard.
Attachment #306789 -
Flags: approval1.9b4?
Comment 14•16 years ago
|
||
Comment on attachment 306789 [details] [diff] [review] Better fix We'll take this after beta4.
Attachment #306789 -
Flags: approval1.9b4?
Attachment #306789 -
Flags: approval1.9b4-
Attachment #306789 -
Flags: approval1.9?
Assignee | ||
Updated•16 years ago
|
Target Milestone: mozilla1.9beta4 → mozilla1.9
Comment 15•16 years ago
|
||
Comment on attachment 306789 [details] [diff] [review] Better fix a1.9=beltzner
Attachment #306789 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 16•16 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 17•16 years ago
|
||
Updated•16 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
Comment 19•14 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•