Closed
Bug 523947
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ JS_CallTracer]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | unaffected |
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr] fixed-in-tracemonkey[crashkill])
Crash Data
Attachments
(2 files, 4 obsolete files)
|
4.36 KB,
text/plain
|
Details | |
|
5.13 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Function("\
(function foo(a, c) {\
if (a.length == c) {\
return ((function() { z }))\
}\
b = foo(a, c + 1);\
return ((function foo2(d) {\
return d.length == 0 ? 0 : d[0] + foo2(d.slice(1))\
})([b, b, , 0x5a827999, /x/, , b, /x/]))\
})([,,,,,,,,,,,,0], 0)\
")()
crashes js opt shell with -j on TM tip at JS_CallTracer near null and crashes js debug shell with -j on TM tip at JS_CallTracer at a scary 0xdadadfec location (turning security-sensitive because of this).
Nominating blocking-1.9.2? because bug 523370 is labelled as status1.9.2beta1-fixed.
autoBisect shows this is probably related to bug 523370:
The first bad revision is:
changeset: 34047:a389613bd931
user: Igor Bukanov
date: Thu Oct 22 01:03:56 2009 +0400
summary: bug 523370 - fixing bogus OOM with empty double free lists. r=dmandelinFlags: blocking1.9.2?
|
||
Comment 1•15 years ago
|
||
Hitting this a lot.
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [ccbr]
|
||
Comment 2•15 years ago
|
||
Weird. Does this mean starting a GC from the recorder tends to make us crash? Could it be that the GC thinks a certain frame stack slot has data, based on the PC, but that the interp opcode hasn't run yet so that slot contains garbage? Or something like that?
since bug 505315 didn't land on 1.9.2, this doesn't need to block. I'm not sure why the other bug is marked beta1-fixed since it never landed on 1.9.2, but maybe the flags don't work in the way I am thinking.
Attachment #408455 -
Flags: review?(igor)
|
||
Updated•15 years ago
|
Attachment #408455 -
Flags: review?(igor)
|
|
||
Comment 5•15 years ago
|
||
Comment on attachment 408455 [details] [diff] [review] fix > METER(JSGCArenaStats *astats = &cx->runtime->gcStats.arenaStats[thingKind]); >- bool canGC = !JS_ON_TRACE(cx); >+ bool canGC = !JS_ON_TRACE(cx) && !JS_TRACE_MONITOR(cx).useReservedObjects; Nit: add a function like CanGC to factor out the common logic above. Non nit: use this function also in NewGCArena where the code checks for JS_ON_TRACE(cx). >diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp >+ JS_TRACE_MONITOR(cx).useReservedObjects = JS_TRUE; Nit: rename useReservedObjects into useReservedPool or something as it is no longer used just for object allocation. Also make it bool and use true/false for its initialization.
I don't think we should worry about changing/refactoring much here. It is all temporary and will go away with conservative GC, and in the meantime I'm hitting this crash in the wild.
Attachment #408455 -
Attachment is obsolete: true
Attachment #408663 -
Flags: review?(igor)
|
|
||
Comment 7•15 years ago
|
||
Comment on attachment 408663 [details] [diff] [review] fix >+static inline bool >+CanGC(JSContext *cx) >+{ >+ return !JS_ON_TRACE(cx) && !JS_TRACE_MONITOR(cx).useReservedPool; >+} The patch does not change NewGCArena to use CanGC, not JS_ON_TRACE, right before the js_TriggerGC call. Surely the conservative scanner will allow to resolve this, but an explicit call like CanGC will allow to trivially remove that code later without missing anything.
Attachment #408663 -
Flags: review?(igor)
I'm not as familiar with this code so I'll defer to you for the best fix :)
|
|
||
Comment 10•15 years ago
|
||
The new version is the patch from the comment 6 with the extra change from the comment 7.
Attachment #408663 -
Attachment is obsolete: true
Attachment #408932 -
Flags: review+
|
|
||
Comment 11•15 years ago
|
||
Here comes the right diff.
Attachment #408932 -
Attachment is obsolete: true
Attachment #408936 -
Flags: review+
Hrm still getting problems from running old trace-tests... /Users/dvander/mozilla/oldmonkey/js/src/trace-test.js:5757: out of memory Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xdadadad8 0x0007f53b in js_Interpret (cx=0x30ab80) at jsops.cpp:1012 1012 VALUE_TO_NUMBER(cx, -1, rval, d2); #0 0x0007f53b in js_Interpret (cx=0x30ab80) at jsops.cpp:1012 1012 VALUE_TO_NUMBER(cx, -1, rval, d2); (gdb) p/x rval $1 = 0xdadadada
|
Assignee | |
Comment 13•15 years ago
|
||
This is unacceptable. I will bisect and back out patches until this is fixed. I can't finish my stack scanning patch if we crash all over the place.
|
|
Reporter | |
Comment 14•15 years ago
|
||
Bug 523370 has had erroneous 1.9.2 flags/keywords removed.
Flags: blocking1.9.2?
|
|
Assignee | |
Comment 15•15 years ago
|
||
Assignee: igor → gal
Attachment #408936 -
Attachment is obsolete: true
|
|
||
Updated•15 years ago
|
Attachment #408952 -
Flags: review+
|
|
Assignee | |
Comment 16•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/629ab1d02019 This fixes the test-case and the trace-tests crash I was seeing. The original regressor should have been backed out a week ago. It made it to m-c now. That's pretty bad.
|
|
||
Comment 17•15 years ago
|
||
I should have been more attention to this bug and land the fix at least on Tuesday. Sorry about that.
|
||
Comment 18•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/629ab1d02019
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey
Whiteboard: [ccbr] fixed-in-tracemonkey → [ccbr] fixed-in-tracemonkey[crashkill]
|
||
Updated•13 years ago
|
Crash Signature: [@ JS_CallTracer]
|
|
Reporter | |
Updated•12 years ago
|
|
||
Comment 19•11 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•