Closed Bug 522775 Opened 16 years ago Closed 16 years ago

free list management in bug 505315 has missed a possibility of recursive allocation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected

People

(Reporter: igor, Assigned: igor)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix v1
2.00 KB, patch
brendan
: review+
Details | Diff | Splinter Review
In my patch for bug 505315 I have missed that js_NewFinalizableGCThing can be called recursively. This happens if the function triggers the GC and the GC-end application callback triggers more allocations. Thus the assertion in http://hg.mozilla.org/mozilla-central/file/876738eb9cf0/js/src/jsgc.cpp#l1922 is bogus and the code must be prepared to deal with a possibility of the already allocated free list at that point.
Assignee: general → igor
Attached patch fix v1Splinter Review
Attachment #406765 - Flags: review?(brendan)
(In reply to comment #0) > This happens if the function triggers the GC and the GC-end > application callback triggers more allocations. jsapi-test for this?
Comment on attachment 406765 [details] [diff] [review] fix v1 > thing = RefillFinalizableFreeList(cx, thingKind); > if (thing) { >- JS_ASSERT(!*freeListp); >+ JS_ASSERT_IF(*freeListp, *freeListp == thing); > *freeListp = thing->link; > break; A comment about how the *freeListp non-null situation arises would be great. r=me, /be
Attachment #406765 - Flags: review?(brendan) → review+
landed with extra comments - http://hg.mozilla.org/tracemonkey/rev/eb59dbbc065b
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/eb59dbbc065b
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free | JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this ever make it onto the 1.9.2 branch?
Flags: blocking1.9.2?
(In reply to comment #7) > We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free | > JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this > ever make it onto the 1.9.2 branch? No: this bug is a regression from the bug 505315. That bug is not in 1.9.2.
Clearing and unaffected per comment 8.
status1.9.2: --- → unaffected
Flags: blocking1.9.2?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: