Closed Bug 479934 Opened 15 years ago Closed 15 years ago

crash/corruption of JSTraceMonitor reservedObjects dslots with Multi-threads

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: MikeM, Unassigned)

References

Details

When running several threads I'm seeing a crash inside js_TraceTraceMonitor().
Specifically it looks like tm->reservedObjects->dslots is being corrupted which is causing a crash in js_TraceTraceMonitor().

If I run the application with GZ_ZEAL level 2 no corruption exists and things work great.
If I turn it OFF then the corruption happens and the code dies a horrible death.

I see no evidence of application caused heap corruption either.  All diagnostic tools I have say the app is clean (Numega, Purify, MemValidator)
Looks like a nasty GC bug to me.

CC'ing smart guys in the hope they can advise a way to find underlying corruption... 
Igor, I can't test your multi-runtime GC patch with this bug in the way.

P.S What is the purpose of reservedObjects?
The trace monitor is a single-threaded struct, embedded in JSThread. If you see more than one thread messing with a TM at a time, you're seeing bug 437325.

/be
Depends on: 437325
Marking resolved as bug# 437325 is fixed now. Thanks Igor!
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.