free list management in bug 505315 has missed a possibility of recursive allocation

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(status1.9.2 unaffected)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
In my patch for bug 505315 I have missed that js_NewFinalizableGCThing can be called recursively. This happens if the function triggers the GC and the GC-end application callback triggers more allocations. Thus the assertion in http://hg.mozilla.org/mozilla-central/file/876738eb9cf0/js/src/jsgc.cpp#l1922 is bogus and the code must be prepared to deal with a possibility of the already allocated free list at that point.
(Assignee)

Updated

8 years ago
Assignee: general → igor
(Assignee)

Comment 1

8 years ago
Created attachment 406765 [details] [diff] [review]
fix v1
Attachment #406765 - Flags: review?(brendan)
(In reply to comment #0)
> This happens if the function triggers the GC and the GC-end
> application callback triggers more allocations.

jsapi-test for this?
Comment on attachment 406765 [details] [diff] [review]
fix v1

>         thing = RefillFinalizableFreeList(cx, thingKind);
>         if (thing) {
>-            JS_ASSERT(!*freeListp);
>+            JS_ASSERT_IF(*freeListp, *freeListp == thing);
>             *freeListp = thing->link;
>             break;

A comment about how the *freeListp non-null situation arises would be great. r=me,

/be
Attachment #406765 - Flags: review?(brendan) → review+
(Assignee)

Comment 4

8 years ago
landed with extra comments - http://hg.mozilla.org/tracemonkey/rev/eb59dbbc065b
Whiteboard: fixed-in-tracemonkey

Comment 5

8 years ago
http://hg.mozilla.org/mozilla-central/rev/eb59dbbc065b
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
Duplicate of this bug: 522880
We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free | JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this ever make it onto the 1.9.2 branch?
Flags: blocking1.9.2?
(Assignee)

Comment 8

8 years ago
(In reply to comment #7)
> We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free |
> JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this
> ever make it onto the 1.9.2 branch?

No: this bug is a regression from the bug 505315. That bug is not in 1.9.2.
Clearing and unaffected per comment 8.
status1.9.2: --- → unaffected
Flags: blocking1.9.2?
You need to log in before you can comment on or make changes to this bug.