TM: Crash during GC [@ JS_CallTracer]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
10 years ago
3 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
$ cat a3.js

for (let i = 0; i < 3; ++i) { [].concat([]); }
gczeal(2);
({});
gczeal(0); 
var x = {};
for (let j = 0; j < 4; ++j) { x.a = new Date(); }
gc();

$ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j a3.js 

Crash [@ JS_CallTracer] dereferencing 0xdadadff0
(Reporter)

Updated

10 years ago
Whiteboard: [sg:critical?]
WFM (tm tip, on my MBP running leopard) -- who can repro?

/be

Comment 2

10 years ago
This caused a heap bug in the specific version jesse tested. You might have to go back to it to trigger it again. Jesse, do you remember the changeset id?

Comment 3

10 years ago
Created attachment 344833 [details]
js1_7/extensions/regress-458931.js

fix changeset: 20601:0e06273117f5 user: Andreas Gal <gal@mozilla.com> date: Wed Oct 22 19:19:07 2008 -0700 summary: Make sure we set remaining fslots to void in FastNewDate (459628, r=brendan).

Updated

10 years ago
Flags: in-testsuite+
Flags: in-litmus-

Comment 4

10 years ago
Would make sense looking at your test code and at my fix and the crash behavior. I think bc is right. 

(FastNewDate didn't initialize all fslots, GC comes and scans them => boom)
(Reporter)

Comment 5

10 years ago
FIXED by bug 459628, then.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Depends on: 459628
Resolution: --- → FIXED

Comment 6

10 years ago
verified fixed mozilla-central, tracemonkey
Status: RESOLVED → VERIFIED

Comment 7

8 years ago
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ JS_CallTracer]
Group: core-security
You need to log in before you can comment on or make changes to this bug.