Closed
Bug 522775
Opened 16 years ago
Closed 16 years ago
free list management in bug 505315 has missed a possibility of recursive allocation
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
People
(Reporter: igor, Assigned: igor)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
2.00 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
In my patch for bug 505315 I have missed that js_NewFinalizableGCThing can be called recursively. This happens if the function triggers the GC and the GC-end application callback triggers more allocations. Thus the assertion in http://hg.mozilla.org/mozilla-central/file/876738eb9cf0/js/src/jsgc.cpp#l1922 is bogus and the code must be prepared to deal with a possibility of the already allocated free list at that point.
Assignee | ||
Updated•16 years ago
|
Assignee: general → igor
Assignee | ||
Comment 1•16 years ago
|
||
Attachment #406765 -
Flags: review?(brendan)
Comment 2•16 years ago
|
||
(In reply to comment #0)
> This happens if the function triggers the GC and the GC-end
> application callback triggers more allocations.
jsapi-test for this?
Comment 3•16 years ago
|
||
Comment on attachment 406765 [details] [diff] [review]
fix v1
> thing = RefillFinalizableFreeList(cx, thingKind);
> if (thing) {
>- JS_ASSERT(!*freeListp);
>+ JS_ASSERT_IF(*freeListp, *freeListp == thing);
> *freeListp = thing->link;
> break;
A comment about how the *freeListp non-null situation arises would be great. r=me,
/be
Attachment #406765 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 4•16 years ago
|
||
landed with extra comments - http://hg.mozilla.org/tracemonkey/rev/eb59dbbc065b
Whiteboard: fixed-in-tracemonkey
Comment 5•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 7•16 years ago
|
||
We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free | JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this ever make it onto the 1.9.2 branch?
Flags: blocking1.9.2?
Assignee | ||
Comment 8•16 years ago
|
||
(In reply to comment #7)
> We're seeing this crash in 3.6b3 (arena_dalloc_small | arena_dalloc | free |
> JSFreePointerListTask::run(), bug 522880, duped against this bug). Did this
> ever make it onto the 1.9.2 branch?
No: this bug is a regression from the bug 505315. That bug is not in 1.9.2.
Comment 9•16 years ago
|
||
Clearing and unaffected per comment 8.
status1.9.2:
--- → unaffected
Flags: blocking1.9.2?
You need to log in
before you can comment on or make changes to this bug.
Description
•