Closed Bug 458931 Opened 16 years ago Closed 16 years ago

TM: Crash during GC [@ JS_CallTracer]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

js1_7/extensions/regress-458931.js
2.50 KB, text/plain
Details 
$ cat a3.js

for (let i = 0; i < 3; ++i) { [].concat([]); }
gczeal(2);
({});
gczeal(0); 
var x = {};
for (let j = 0; j < 4; ++j) { x.a = new Date(); }
gc();

$ ~/tracemonkey/js/src/Darwin_DBG.OBJ/js -j a3.js 

Crash [@ JS_CallTracer] dereferencing 0xdadadff0
Whiteboard: [sg:critical?]
WFM (tm tip, on my MBP running leopard) -- who can repro?

/be
This caused a heap bug in the specific version jesse tested. You might have to go back to it to trigger it again. Jesse, do you remember the changeset id?
fix changeset: 20601:0e06273117f5 user: Andreas Gal <gal@mozilla.com> date: Wed Oct 22 19:19:07 2008 -0700 summary: Make sure we set remaining fslots to void in FastNewDate (459628, r=brendan).
Flags: in-testsuite+
Flags: in-litmus-
Would make sense looking at your test code and at my fix and the crash behavior. I think bc is right. 

(FastNewDate didn't initialize all fslots, GC comes and scans them => boom)
FIXED by bug 459628, then.
Status: NEW → RESOLVED
Closed: 16 years ago
Depends on: 459628
Resolution: --- → FIXED
verified fixed mozilla-central, tracemonkey
Status: RESOLVED → VERIFIED
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Crash Signature: [@ JS_CallTracer]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: