Closed Bug 550665 Opened 15 years ago Closed 15 years ago

JM: Crash [@ js::StackSpace::mark] or "Assertion failure: a->info.list, at ../jsgc.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

testcase
296 bytes, text/plain
Details
function foo() { v = (Function("for(w in(a=((function(aaaaaa,bbbbbb){b:aaaaaa[bbbbbb]+(aaaaaa,bbbbbb)})([null]))))for(let z = 0; z < 1; z++)function(){}"))() } foo("") __defineSetter__("x", function() { gc() }) gc() this.watch("x", function(x) { yield#3= {} }) for (var n;; n++) { x = true } asserts js debug shell on JM tip without -j or -m at Assertion failure: a->info.list, at ../jsgc.cpp:811 and crashes js opt shell on JM tip without -j or -m at js::StackSpace::mark (Tested on JM rev 71ed74081c2d on Mac 10.6.2 32-bit shell) js opt shell stack: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 ??? 0000000000 0 + 0 1 js-opt-32-jm-darwin 0x000202f3 js::StackSpace::mark(JSTracer*) + 307 2 js-opt-32-jm-darwin 0x00021851 js_TraceThreads(JSRuntime*, JSTracer*) + 33 3 js-opt-32-jm-darwin 0x0004d7f7 js_TraceRuntime(JSTracer*, int) + 1063 4 js-opt-32-jm-darwin 0x0004dc6e js_GC(JSContext*, JSGCInvocationKind) + 990 5 js-opt-32-jm-darwin 0x0000f97a JS_GC + 58 6 js-opt-32-jm-darwin 0x00005c43 GC(JSContext*, unsigned int, long*) + 35 7 js-opt-32-jm-darwin 0x00059196 js_Interpret + 35974 8 js-opt-32-jm-darwin 0x00060891 js_Invoke + 1681 9 js-opt-32-jm-darwin 0x00060bf0 js_InternalInvoke + 208 10 js-opt-32-jm-darwin 0x0002a249 js_watch_set + 713 11 js-opt-32-jm-darwin 0x00060561 js_Invoke + 865 12 js-opt-32-jm-darwin 0x00060bf0 js_InternalInvoke + 208 13 js-opt-32-jm-darwin 0x00060cd3 js_InternalGetOrSet + 115 14 js-opt-32-jm-darwin 0x00069e57 js_NativeSet + 295 15 js-opt-32-jm-darwin 0x0006d7d4 js_SetPropertyHelper + 948 16 js-opt-32-jm-darwin 0x00050a79 js_Interpret + 1385 17 js-opt-32-jm-darwin 0x0005fdcc js_Execute + 860 18 js-opt-32-jm-darwin 0x0000dc0c JS_ExecuteScript + 60 19 js-opt-32-jm-darwin 0x00004b35 Process(JSContext*, JSObject*, char*, int) + 1621 20 js-opt-32-jm-darwin 0x00008a06 main + 1734 21 js-opt-32-jm-darwin 0x0000287d _start + 208 22 js-opt-32-jm-darwin 0x000027ac start + 40
Attached file testcase
Pass this into the shell as a CLI argument (./js testcase.js) to reproduce.
(Note: not the smallest regression window) Works in JM rev 46534269b967, but not in JM rev 71ed74081c2d.
This happens fairly often - and with various crash locations too, though almost all include js::StackSpace::mark.
GC, watchpoints, setters, Function(), and sharp objects oh my! All to expose a very very silly bug. Pushed with testcase. http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/62e9f6dd66b9
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Luke, is there a simple template inline function to help avoid this mistake and to consolidate all the mechanical length * sizeof(ELEM) noise? /be
There could easily be. How do these signatures look: namespace js { template <class T> void memset_elem(T *elem, int value); template <class T> void memset_elems(T *elem, int value, int nelems); }
Great -- jorendorff, waldo, or another hacker more expert at C++ should buddy. I'd go further and add memzero (bzero in BSD Unixes of old), since mostly we are memset'ing zeroes. /be
Filed bug 551276.
Crash Signature: [@ js::StackSpace::mark]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug550665.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: