Closed
Bug 492693
Opened 15 years ago
Closed 15 years ago
TM: temporary rooting during native call from trace isn't reset properly
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gal, Assigned: gal)
References
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files)
25.24 KB,
application/x-javascript
|
Details | |
854 bytes,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Flags: blocking1.9.1?
Assignee | ||
Comment 1•15 years ago
|
||
When running slow.js with a macosx OPT build (TM tip), we crash with a bus error. The crash doesn't happen in gdb, but I was able to make it write out a core file. #0 0x00036224 in GetGCThingFlags (thing=0xb60) at ../jsgc.cpp:1128 1128 a = THING_TO_ARENA(thing); (gdb) bt full #0 0x00036224 in GetGCThingFlags (thing=0xb60) at ../jsgc.cpp:1128 No locals. #1 0x00036c55 in JS_CallTracer (trc=0xbffff218, thing=<value temporarily unavailable, due to optimizations>, kind=0) at ../jsgc.cpp:2712 rt = (JSRuntime *) 0x168000 a = <value temporarily unavailable, due to optimizations> cx = (JSContext *) 0x20a8b0 index = <value temporarily unavailable, due to optimizations> flagp = (uint8 *) 0xb60 "" #2 0x000375af in js_TraceContext (trc=0xbffff218, acx=0x20a8b0) at ../jsgc.cpp:3115 _v = <value temporarily unavailable, due to optimizations> _vp = (jsval *) 0x0 _end = (jsval *) 0xbfffc0f0 #3 0x0003786f in js_TraceRuntime (trc=0xbffff218, allAtoms=2912) at ../jsgc.cpp:3162 rt = (JSRuntime *) 0x168000 iter = (JSContext *) 0x20a8b0 acx = <value temporarily unavailable, due to optimizations> #4 0x00037ab1 in js_GC (cx=0x20a8b0, gckind=GC_LAST_DITCH) at ../jsgc.cpp:3483 keepAtoms = 1 i = 1323464 trc = { context = 0x20a8b0, callback = 0 } a = <value temporarily unavailable, due to optimizations> emptyArenas = (JSGCArenaInfo *) 0x209a50 arenaList = (JSGCArenaList *) 0x0 allClear = 1323008 callback = <value temporarily unavailable, due to optimizations> thing = (JSGCThing *) 0xc3d90 rt = (JSRuntime *) 0x168000 type = <value temporarily unavailable, due to optimizations> thingSize = 1323432 flags = <value temporarily unavailable, due to optimizations> freeList = (JSGCThing *) 0x33 ap = (JSGCArenaInfo **) 0xc17e2 flagp = <value temporarily unavailable, due to optimizations> #5 0x0003846d in js_NewGCThing (cx=0x20a8b0, flags=0, nbytes=32) at ../jsgc.cpp:1901 rt = <value temporarily unavailable, due to optimizations> arenaList = (JSGCArenaList *) 0x168030 a = <value temporarily unavailable, due to optimizations> lrs = <value temporarily unavailable, due to optimizations> flindex = <value temporarily unavailable, due to optimizations> doGC = false thing = <value temporarily unavailable, due to optimizations> flagp = <value temporarily unavailable, due to optimizations> #6 0x00050a30 in js_NewObjectWithGivenProto (cx=0x20a8b0, clasp=0xdfee0, proto=0x1997e0, parent=0x187000, objectSize=0) at ../jsobj.cpp:3104 obj = (JSObject *) 0xb60 ops = <value temporarily unavailable, due to optimizations> tvr = { down = 0xbffff2c8, count = -1073745208, u = { value = -1846881676, object = 0x91ead274, string = 0x91ead274, xml = 0x91ead274, trace = 0x91ead274 <free+17>, sprop = 0x91ead274, weakRoots = 0x91ead274, compiler = 0x91ead274, script = 0x91ead274, array = 0x91ead274 } } #7 0x000550fa in js_NewObject (cx=0x20a8b0, clasp=0xdfee0, proto=0x1997e0, parent=0x187000, objectSize=0) at ../jsobj.cpp:3068 id = 299409 #8 0x0004924a in js_InvokeConstructor (cx=0x20a8b0, argc=0, clampReturn=0, vp=0xdfee0) at jsinterp.cpp:1837 fun = (JSFunction *) 0x190af0 obj = (JSObject *) 0xb60 parent = <value temporarily unavailable, due to optimizations> clasp = <value temporarily unavailable, due to optimizations> fun2 = (JSFunction *) 0x20a8b0 obj2 = (JSObject *) 0x20a8b0 proto = <value temporarily unavailable, due to optimizations> lval = <value temporarily unavailable, due to optimizations> rval = <value temporarily unavailable, due to optimizations> #9 0x0003f0e8 in js_Interpret () No symbol table info available. #10 0x00049a3c in js_Execute (cx=0x20a8b0, chain=0x187000, script=0x83a800, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1603 oldfp = (JSStackFrame *) 0x0 frame = { regs = 0x830bd4, imacpc = 0x0, slots = 0x830a18, callobj = 0x0, argsobj = 0x0, varobj = 0x187000, callee = 0x0, script = 0x83a800, fun = 0x0, thisp = 0x187000, argc = 0, argv = 0x0, rval = 22, down = 0x0, annotation = 0x0, scopeChain = 0x187000, blockChain = 0x0, sharpDepth = 0, sharpArray = 0x0, flags = 2, dormantNext = 0x0, xmlNamespace = 0x0, displaySave = 0x0 } obj = <value temporarily unavailable, due to optimizations> ok = <value temporarily unavailable, due to optimizations> hook = (JSInterpreterHook) 0 hookData = (void *) 0x0 mark = (void *) 0x830a18 #11 0x0000aaa8 in JS_ExecuteScript (cx=0x20a8b0, obj=0xb60, script=0xb60, rval=0xb60) at ../jsapi.cpp:5040 ok = <value temporarily unavailable, due to optimizations> #12 0x00003ad7 in Process () No symbol table info available. #13 0x000060af in main () No symbol table info available. Current language: auto; currently c++ (gdb)
Assignee | ||
Comment 2•15 years ago
|
||
Assignee | ||
Comment 3•15 years ago
|
||
This is an OPT build with -g3 (also kills regular opt builds).
Assignee | ||
Comment 4•15 years ago
|
||
Ok, this looks familiar. We use this to root arguments during slow native invocations. #2 0x000375af in js_TraceContext (trc=0xbffff218, acx=0x20a8b0) at ../jsgc.cpp:3115 3115 TRACE_JSVALS(trc, acx->nativeVpLen, acx->nativeVp, "nativeVp"); (gdb) list >> This bug doesn't affect branch. << Removing blocking, marking dependency. 487240 is a still unfixed blocker that might inherit the nativeVp part of Bug 487134, so marking that as blocked as well.
Assignee | ||
Comment 5•15 years ago
|
||
nativeVp was stack allocated and then not properly reset for the non-constructor case.
Assignee: general → gal
Attachment #377066 -
Flags: review?(jorendorff)
Assignee | ||
Updated•15 years ago
|
Summary: TM: Crash in last ditch GC in NewObjectWithGivenProto → TM: temporary rooting during slow native call from trace isn't reset properly
Assignee | ||
Updated•15 years ago
|
Summary: TM: temporary rooting during slow native call from trace isn't reset properly → TM: temporary rooting during native call from trace isn't reset properly
Updated•15 years ago
|
Attachment #377066 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/ed70badf19d7
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 7•15 years ago
|
||
We should keep this bug invisible until the nightlies have picked up the fix.
Updated•15 years ago
|
Flags: blocking1.9.1+
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ed70badf19d7
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/0f1a88c9e28e
Keywords: fixed1.9.1
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•