Closed Bug 479934 Opened 16 years ago Closed 16 years ago

crash/corruption of JSTraceMonitor reservedObjects dslots with Multi-threads

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: MikeM, Unassigned)

References

Details

When running several threads I'm seeing a crash inside js_TraceTraceMonitor(). Specifically it looks like tm->reservedObjects->dslots is being corrupted which is causing a crash in js_TraceTraceMonitor(). If I run the application with GZ_ZEAL level 2 no corruption exists and things work great. If I turn it OFF then the corruption happens and the code dies a horrible death. I see no evidence of application caused heap corruption either. All diagnostic tools I have say the app is clean (Numega, Purify, MemValidator) Looks like a nasty GC bug to me. CC'ing smart guys in the hope they can advise a way to find underlying corruption... Igor, I can't test your multi-runtime GC patch with this bug in the way. P.S What is the purpose of reservedObjects?
The trace monitor is a single-threaded struct, embedded in JSThread. If you see more than one thread messing with a TM at a time, you're seeing bug 437325. /be
Depends on: 437325
Marking resolved as bug# 437325 is fixed now. Thanks Igor!
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.