Closed
Bug 521169
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ 0xdb001f12] or [@ JS_CallTracer] or "Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta3-fixed |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
642 bytes,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
try {
with({
x: (function f(a) {
f(1)
})()
}) {}
} catch(e) {}
for each(x in ["", true]) {
for (b = 0; b < 4; ++b) {
if (b % 2 == 0) {
(function () {})()
} {
gc()
}
}
}
crashes at js opt shell at a scary address when pasted (0xdb001f12) with -j, at JS_CallTracer near null when passed in as a CLI argument with -j, and asserts at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp:2677 with a js debug shell with -j.
Turning security-sensitive because of scary address and that this concerns gc.
autoBisecting soon...
Reporter | ||
Updated•15 years ago
|
Whiteboard: [ccbr]
Reporter | ||
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 459301:
The regression window is http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=89e665eb9944&tochange=d04601f54db5 which is heavily tracerecursion-related.
Blocks: tracerecursion
Reporter | ||
Comment 2•15 years ago
|
||
(In reply to comment #0)
> crashes at js opt shell at a scary address when pasted (0xdb001f12) with -j, at
> JS_CallTracer near null when passed in as a CLI argument with -j, and asserts
> at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp:2677 with a js debug
> shell with -j.
When pasted into the opt shell and when passed in as a CLI argument to the opt shell, JSTraceMonitor::mark seems to be common on the stack:
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000db001f12
Crashed Thread: 0
Thread 0 Crashed:
0 ??? 0x001f1280 0 + 2036352
1 js-opt-tm-darwin 0x000efa9e JSTraceMonitor::mark(JSTracer*) + 286
2 js-opt-tm-darwin 0x0004b166 js_TraceRuntime + 182
3 js-opt-tm-darwin 0x0004b88e js_GC + 1022
4 js-opt-tm-darwin 0x0000ed68 JS_GC + 72
5 js-opt-tm-darwin 0x00005082 __ZL2GCP9JSContextjPl + 50
6 js-opt-tm-darwin 0x000577f0 js_Interpret + 39904
7 js-opt-tm-darwin 0x0005d9aa js_Execute + 362
8 js-opt-tm-darwin 0x0000cefc JS_ExecuteScript + 60
9 js-opt-tm-darwin 0x00003a88 __ZL7ProcessP9JSContextP8JSObjectPci + 1336
10 js-opt-tm-darwin 0x00007b44 main + 2212
11 js-opt-tm-darwin 0x00001a1b _start + 209
12 js-opt-tm-darwin 0x00001949 start + 41
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000040
Crashed Thread: 0
Thread 0 Crashed:
0 js-opt-tm-darwin 0x0004a396 JS_CallTracer + 614
1 js-opt-tm-darwin 0x000efa9e JSTraceMonitor::mark(JSTracer*) + 286
2 js-opt-tm-darwin 0x0004b166 js_TraceRuntime + 182
3 js-opt-tm-darwin 0x0004b88e js_GC + 1022
4 js-opt-tm-darwin 0x0000ed68 JS_GC + 72
5 js-opt-tm-darwin 0x00005082 __ZL2GCP9JSContextjPl + 50
6 js-opt-tm-darwin 0x000577f0 js_Interpret + 39904
7 js-opt-tm-darwin 0x0005d9aa js_Execute + 362
8 js-opt-tm-darwin 0x0000cefc JS_ExecuteScript + 60
9 js-opt-tm-darwin 0x00003b95 __ZL7ProcessP9JSContextP8JSObjectPci + 1605
10 js-opt-tm-darwin 0x00007b44 main + 2212
11 js-opt-tm-darwin 0x00001a1b _start + 209
12 js-opt-tm-darwin 0x00001949 start + 41
No longer blocks: tracerecursion
Reporter | ||
Updated•15 years ago
|
Blocks: tracerecursion
Assignee | ||
Comment 3•15 years ago
|
||
We're not walking peer fragments for gcthings. This bug existed prior to recursion, so we got lucky here that the bug was exposed so cleanly.
Assignee | ||
Updated•15 years ago
|
No longer blocks: tracerecursion
Updated•15 years ago
|
tracking-fennec: --- → ?
Flags: blocking1.9.2?
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
Updated•15 years ago
|
Attachment #406182 -
Flags: review?(gal) → review+
Comment 4•15 years ago
|
||
(In reply to comment #3)
> Created an attachment (id=406182) [details]
> fix
>
> We're not walking peer fragments for gcthings. This bug existed prior to
> recursion, so we got lucky here that the bug was exposed so cleanly.
Does this bug exist on 1.9.1?
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Comment 5•15 years ago
|
||
No. The underlying don't-flush-jit-case-upon-gc code wasn't added until 1.9.2.
Assignee | ||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/dde13d040e44
The crash is (probably) rare but deadly: type instability has to create a peer that roots an object not rooted by the first fragment. FWIW the test case can be reduced to:
for each(x in ["", true]) {
for (b = 0; b < 4; ++b) {
if (b % 2 == 0) {
(function () {})()
} {
gc()
}
}
}
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical] fixed-in-tracemonkey
Updated•15 years ago
|
status1.9.1:
--- → unaffected
Comment 8•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
status1.9.2:
--- → final-fixed
Updated•15 years ago
|
Group: core-security
Updated•14 years ago
|
Crash Signature: [@ 0xdb001f12]
[@ JS_CallTracer]
Comment 10•13 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ 0xdb001f12]
[@ JS_CallTracer] → [@ 0xdb001f12]
[@ JS_CallTracer]
Comment 11•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
Updated•11 years ago
|
tracking-fennec: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•