563133 - Crash [@ js_CallGCMarker] with gczeal

Status: RESOLVED DUPLICATE of bug 563243

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for (w in [Boolean(false)]) {
    gczeal(1)
}
__defineGetter__("x", Array.reduce)
Math.log()
x -= y

crashes js debug shell on TM tip without -j at js_CallGCMarker at a weird memory address. This might affect opt too, if gczeal support in opt was enabled.

===

js> for (w in [Boolean(false)]) {
    gczeal(1)
}
js> __defineGetter__("x", Array.reduce)
js> Math.log()
NaN
js> x -= y

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xdadfe950
0x00072a0a in js_CallGCMarker (trc=0xbfffe6fc, thing=0xdadadad8, kind=1) at ../jsgc.cpp:2064
2064            JS_ASSERT(!ainfo->list);
(gdb) bt
#0  0x00072a0a in js_CallGCMarker (trc=0xbfffe6fc, thing=0xdadadad8, kind=1) at ../jsgc.cpp:2064
#1  0x000b282e in js_TraceObject (trc=0xbfffe6fc, obj=0x6021e0) at ../jsobj.cpp:6348
#2  0x00072382 in JS_TraceChildren (trc=0xbfffe6fc, thing=0x6021e0, kind=0) at ../jsgc.cpp:1830
#3  0x00072b6a in js_CallGCMarker (trc=0xbfffe6fc, thing=0x6021e0, kind=0) at ../jsgc.cpp:2106
#4  0x00017859 in JS_CallTracer (trc=0xbfffe6fc, thing=0x6021e0, kind=0) at ../jsapi.cpp:1882
#5  0x000732ec in JSWeakRoots::mark (this=0xbfffe7c4, trc=0xbfffe6fc) at ../jsgc.cpp:2326
#6  0x00077f35 in js::AutoGCRooter::trace (this=0xbfffe7b8, trc=0xbfffe6fc) at jscntxtinlines.h:81
#7  0x000737b8 in js_TraceContext (trc=0xbfffe6fc, acx=0x85a600) at ../jsgc.cpp:2398
#8  0x000738eb in js_TraceRuntime (trc=0xbfffe6fc) at ../jsgc.cpp:2429
#9  0x0007502f in GC (cx=0x85a600) at ../jsgc.cpp:3001
#10 0x00075336 in GCUntilDone (cx=0x85a600, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3182
#11 0x00075450 in js_GC (cx=0x85a600, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3512
#12 0x0007553e in LastDitchGC (cx=0x85a600) at ../jsgc.cpp:1426
#13 0x00075dd5 in RefillFinalizableFreeList (cx=0x85a600, thingKind=4) at ../jsgc.cpp:1450
#14 0x000760ef in js_NewFinalizableGCThing (cx=0x85a600, thingKind=4) at ../jsgc.cpp:1558
#15 0x0011d442 in js_NewGCString (cx=0x85a600) at jsgc.h:284
#16 0x0011dc63 in js_NewString (cx=0x85a600, chars=0x40cc10, length=8) at ../jsstr.cpp:3079
#17 0x0001128c in JS_NewStringCopyZ (cx=0x85a600, s=0x860e10 "\"length\"") at ../jsapi.cpp:5108
#18 0x000d8f42 in js_QuoteString (cx=0x85a600, str=0x600400, quote=34) at ../jsopcode.cpp:723
#19 0x0011df2a in js_ValueToSource (cx=0x85a600, v=6292484) at ../jsstr.cpp:3301
#20 0x000d69d8 in js_DecompileValueGenerator (cx=0x85a600, spindex=0, v=6292484, fallback=0x0) at ../jsopcode.cpp:5209
#21 0x00036cc9 in js_ReportValueErrorFlags (cx=0x85a600, flags=0, errorNumber=162, spindex=0, v=6292484, fallback=0x0, arg1=0x0, arg2=0x0) at ../jscntxt.cpp:1801
#22 0x000b743c in js_GetPropertyHelper (cx=0x85a600, obj=0x602000, id=6292484, getHow=0, vp=0xbfffebf4) at ../jsobj.cpp:4820
#23 0x000b7daf in js_GetProperty (cx=0x85a600, obj=0x602000, id=6292484, vp=0xbfffebf4) at ../jsobj.cpp:4851
#24 0x0012a305 in JSObject::getProperty (this=0x602000, cx=0x85a600, id=6292484, vp=0xbfffebf4) at jsobj.h:568
#25 0x0002d429 in js_GetLengthProperty (cx=0x85a600, obj=0x602000, lengthp=0xbfffec84) at ../jsarray.cpp:247
#26 0x0002d4f6 in array_extra (cx=0x85a600, mode=REDUCE, argc=0, vp=0x85ce38) at ../jsarray.cpp:2991
#27 0x0002dc07 in array_reduce (cx=0x85a600, argc=0, vp=0x85ce38) at ../jsarray.cpp:3179
#28 0x00014737 in js_generic_fast_native_method_dispatcher (cx=0x85a600, argc=0, vp=0x85ce38) at ../jsapi.cpp:4287
#29 0x000a2e3d in js_Invoke (cx=0x85a600, argc=0, vp=0x85ce38, flags=0) at jsinterp.cpp:693
#30 0x000a38c5 in js_InternalInvoke (cx=0x85a600, obj=0x602000, fval=6309520, flags=0, argc=0, argv=0x0, rval=0xbffff2cc) at jsinterp.cpp:882
#31 0x000a39db in js_InternalGetOrSet (cx=0x85a600, obj=0x602000, id=2021732, fval=6309520, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbffff2cc) at jsinterp.cpp:919
#32 0x000bfc0f in JSScopeProperty::get (this=0x85bdf0, cx=0x85a600, obj=0x602000, pobj=0x602000, vp=0xbffff2cc) at jsscope.h:977
#33 0x000b702b in js_NativeGet (cx=0x85a600, obj=0x602000, pobj=0x602000, sprop=0x85bdf0, getHow=1, vp=0xbffff2cc) at ../jsobj.cpp:4669
#34 0x000b7565 in js_GetPropertyHelper (cx=0x85a600, obj=0x602000, id=2021732, getHow=1, vp=0xbffff2cc) at ../jsobj.cpp:4841
#35 0x0008c03b in js_Interpret (cx=0x85a600) at jsops.cpp:1479
#36 0x000a25cb in js_Execute () at jsinterp.cpp:1073
#37 0x000123b0 in JS_ExecuteScript (cx=0x85a600, obj=0x602000, script=0x40c840, rval=0xbffff778) at ../jsapi.cpp:4818
#38 0x0000b065 in Process (cx=0x85a600, obj=0x602000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:542
#39 0x0000ba39 in ProcessArgs (cx=0x85a600, obj=0x602000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:863
#40 0x0000bbee in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5038
(gdb) x/i $eip
0x72a0a <js_CallGCMarker+332>:  mov    (%eax),%eax
(gdb) x/1b $eax
0xdadfe950:     Cannot access memory at address 0xdadfe950

We're trying to access memory from a weird location. Assuming [sg:critical?].

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to bug 482038:

The first bad revision is:
changeset:   26024:6373919ecd37
user:        Igor Bukanov
date:        Thu Mar 12 10:15:55 2009 +0100
summary:     bug 482038 - removal of JSRuntime.gcPoke checks from js_NewGCThing. r=brendan

Comment 2

[Robert Sayre]

assigned to igor per bisect blame.

Comment 3

[Igor Bukanov]

The latest TM tip (hg 3a9808cb8d50) asserts on the test case from the comment 0:

Assertion failure: newShape != sprop->shape, at /home/igor/m/tm/js/src/jsscopeinlines.h:183
Aborted

The same assert happens with a simpler test case:

gczeal(1)
__defineGetter__("x", Array.reduce)
Math.log()
x -= y

But the stack trace looks similar to the comment 0 as it again involves the GC called under the error reporting. 

#1  0x000000000054d7a6 in JS_Assert (s=0x620423 "newShape != sprop->shape", file=0x6202f0 "/home/igor/m/tm/js/src/jsscopeinlines.h", ln=183) at /home/igor/m/tm/js/src/jsutil.cpp:79
#2  0x00000000004c6591 in JSScope::trace (this=0x8f7c30, trc=0x7fffffffcc90) at /home/igor/m/tm/js/src/jsscopeinlines.h:183
#3  0x00000000004c3681 in js_TraceObject (trc=0x7fffffffcc90, obj=0x7ffff5c02040) at /home/igor/m/tm/js/src/jsobj.cpp:6021
#4  0x0000000000492d06 in JS_TraceChildren (trc=0x7fffffffcc90, thing=0x7ffff5c02040, kind=0) at /home/igor/m/tm/js/src/jsgc.cpp:1827
#5  0x0000000000493723 in js_CallGCMarker (trc=0x7fffffffcc90, thing=0x7ffff5c02040, kind=0) at /home/igor/m/tm/js/src/jsgc.cpp:2103
#6  0x000000000042db5b in JS_CallTracer (trc=0x7fffffffcc90, thing=0x7ffff5c02040, kind=0) at /home/igor/m/tm/js/src/jsapi.cpp:1885
#7  0x000000000044816b in JSObject::traceProtoAndParent (this=0x7ffff5c02100, trc=0x7fffffffcc90) at /home/igor/m/tm/js/src/jsobj.h:381
#8  0x00000000004c3758 in js_TraceObject (trc=0x7fffffffcc90, obj=0x7ffff5c02100) at /home/igor/m/tm/js/src/jsobj.cpp:6035
#9  0x0000000000492d06 in JS_TraceChildren (trc=0x7fffffffcc90, thing=0x7ffff5c02100, kind=0) at /home/igor/m/tm/js/src/jsgc.cpp:1827
#10 0x0000000000493723 in js_CallGCMarker (trc=0x7fffffffcc90, thing=0x7ffff5c02100, kind=0) at /home/igor/m/tm/js/src/jsgc.cpp:2103
#11 0x0000000000493879 in js_CallValueTracerIfGCThing (trc=0x7fffffffcc90, v=140737316397312) at /home/igor/m/tm/js/src/jsgc.cpp:2151
#12 0x0000000000493b42 in gc_root_traversal (table=0x8a51a8, hdr=0x8a6c58, num=0, arg=0x7fffffffcc90) at /home/igor/m/tm/js/src/jsgc.cpp:2205
#13 0x00000000004626a5 in JS_DHashTableEnumerate (table=0x8a51a8, etor=0x493881 <gc_root_traversal>, arg=0x7fffffffcc90) at /home/igor/m/tm/js/src/jsdhash.cpp:743
#14 0x0000000000494b72 in js_TraceRuntime (trc=0x7fffffffcc90) at /home/igor/m/tm/js/src/jsgc.cpp:2419
#15 0x00000000004956a5 in GC (cx=0x8caeb0) at /home/igor/m/tm/js/src/jsgc.cpp:2984
#16 0x0000000000495a75 in GCUntilDone (cx=0x8caeb0, gckind=GC_LOCK_HELD) at /home/igor/m/tm/js/src/jsgc.cpp:3163
#17 0x000000000049643a in js_GC (cx=0x8caeb0, gckind=GC_LOCK_HELD) at /home/igor/m/tm/js/src/jsgc.cpp:3493
#18 0x00000000004919c8 in LastDitchGC (cx=0x8caeb0) at /home/igor/m/tm/js/src/jsgc.cpp:1423
#19 0x0000000000491b60 in RefillFinalizableFreeList (cx=0x8caeb0, thingKind=1) at /home/igor/m/tm/js/src/jsgc.cpp:1447
#20 0x00000000004920c3 in js_NewFinalizableGCThing (cx=0x8caeb0, thingKind=1) at /home/igor/m/tm/js/src/jsgc.cpp:1555
#21 0x0000000000485dae in js_NewGCFunction (cx=0x8caeb0) at /home/igor/m/tm/js/src/jsgc.h:291
#22 0x00000000004861ea in NewObjectWithGivenProto (cx=0x8caeb0, clasp=0x88b0c0, proto=0x7ffff5c03000, parent=0x7ffff5c02000, objectSize=0) at /home/igor/m/tm/js/src/jsobjinlines.h:538
#23 0x00000000004865cc in NewObject (cx=0x8caeb0, clasp=0x88b0c0, proto=0x7ffff5c03000, parent=0x7ffff5c02000, objectSize=0) at /home/igor/m/tm/js/src/jsobjinlines.h:614
#24 0x000000000048ca88 in js_NewFunction (cx=0x8caeb0, funobj=0x0, native=0x483d4c <Exception>, nargs=3, flags=0, parent=0x7ffff5c02000, atom=0x7ffff5c00424) at /home/igor/m/tm/js/src/jsfun.cpp:2394
#25 0x000000000048d0d2 in js_DefineFunction (cx=0x8caeb0, obj=0x7ffff5c02000, atom=0x7ffff5c00424, native=0x483d4c <Exception>, nargs=3, attrs=0) at /home/igor/m/tm/js/src/jsfun.cpp:2548
#26 0x0000000000484e00 in js_InitExceptionClasses (cx=0x8caeb0, obj=0x7ffff5c02000) at /home/igor/m/tm/js/src/jsexn.cpp:1026
#27 0x00000000004bc32b in js_GetClassObject (cx=0x8caeb0, obj=0x7ffff5c02000, key=JSProto_TypeError, objp=0x7fffffffd2c8) at /home/igor/m/tm/js/src/jsobj.cpp:3668
#28 0x00000000004bc5c1 in js_FindClassObject (cx=0x8caeb0, start=0x0, protoKey=JSProto_TypeError, vp=0x7fffffffd328, clasp=0x0) at /home/igor/m/tm/js/src/jsobj.cpp:3733
#29 0x00000000004c23ed in js_GetClassPrototype (cx=0x8caeb0, scope=0x7ffff5c02000, protoKey=JSProto_TypeError, protop=0x7fffffffd3f0, clasp=0x0) at /home/igor/m/tm/js/src/jsobj.cpp:5644
#30 0x00000000004852fd in js_ErrorToException (cx=0x8caeb0, message=0x8fa610 "missing argument 0 when calling function reduce", reportp=0x7fffffffd4c0, callback=0x452a5d <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0) at /home/igor/m/tm/js/src/jsexn.cpp:1157
#31 0x00000000004513c1 in ReportError (cx=0x8caeb0, message=0x8fa610 "missing argument 0 when calling function reduce", reportp=0x7fffffffd4c0, callback=0x452a5d <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0) at /home/igor/m/tm/js/src/jscntxt.cpp:1314
#32 0x0000000000452334 in js_ReportErrorNumberVA (cx=0x8caeb0, flags=0, callback=0x452a5d <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=227, charArgs=1, ap=0x7fffffffd570) at /home/igor/m/tm/js/src/jscntxt.cpp:1669
#33 0x0000000000438965 in JS_ReportErrorNumber (cx=0x8caeb0, errorCallback=0x452a5d <js_GetErrorMessage(void*, char const*, unsigned int)>, userRef=0x0, errorNumber=227) at /home/igor/m/tm/js/src/jsapi.cpp:5338
#34 0x00000000004528c1 in js_ReportMissingArg (cx=0x8caeb0, vp=0x8fc040, arg=0) at /home/igor/m/tm/js/src/jscntxt.cpp:1780
#35 0x0000000000434ec7 in js_generic_fast_native_method_dispatcher (cx=0x8caeb0, argc=0, vp=0x8fc040) at /home/igor/m/tm/js/src/jsapi.cpp:4199
#36 0x000000000049f658 in js_Invoke (cx=0x8caeb0, argc=0, vp=0x8fc040, flags=0) at /home/igor/m/tm/js/src/jsinterp.cpp:691
#37 0x000000000049fe71 in js_InternalInvoke (cx=0x8caeb0, obj=0x7ffff5c02000, fval=140737316417648, flags=0, argc=0, argv=0x0, rval=0x7fffffffdee8) at /home/igor/m/tm/js/src/jsinterp.cpp:880
#38 0x000000000049ffd3 in js_InternalGetOrSet (cx=0x8caeb0, obj=0x7ffff5c02000, id=8974852, fval=140737316417648, mode=JSACC_READ, argc=0, argv=0x0, rval=0x7fffffffdee8) at /home/igor/m/tm/js/src/jsinterp.cpp:917
#39 0x00000000004c5f43 in JSScopeProperty::get (this=0x8f6268, cx=0x8caeb0, obj=0x7ffff5c02000, pobj=0x7ffff5c02000, vp=0x7fffffffdee8) at /home/igor/m/tm/js/src/jsscope.h:977
#40 0x00000000004bf2cc in js_NativeGet (cx=0x8caeb0, obj=0x7ffff5c02000, pobj=0x7ffff5c02000, sprop=0x8f6268, getHow=1, vp=0x7fffffffdee8) at /home/igor/m/tm/js/src/jsobj.cpp:4617
#41 0x00000000004bfcdc in js_GetPropertyHelper (cx=0x8caeb0, obj=0x7ffff5c02000, id=8974852, getHow=1, vp=0x7fffffffdee8) at /home/igor/m/tm/js/src/jsobj.cpp:4789
#42 0x00000000005f3a79 in js_Interpret (cx=0x8caeb0) at /home/igor/m/tm/js/src/jsops.cpp:1489
#43 0x00000000004a079e in js_Execute (cx=0x8caeb0, chain=0x7ffff5c02000, script=0x8fbee0, down=0x0, flags=0, result=0x0) at /home/igor/m/tm/js/src/jsinterp.cpp:1071
#44 0x0000000000436ba4 in JS_ExecuteScript (cx=0x8caeb0, obj=0x7ffff5c02000, script=0x8fbee0, rval=0x0) at /home/igor/m/tm/js/src/jsapi.cpp:4761
#45 0x0000000000404211 in Process (cx=0x8caeb0, obj=0x7ffff5c02000, filename=0x7fffffffe905 "/home/igor/s/x.js", forceTTY=0) at /home/igor/m/tm/js/src/shell/js.cpp:449
#46 0x0000000000405164 in ProcessArgs (cx=0x8caeb0, obj=0x7ffff5c02000, argv=0x7fffffffe5d0, argc=1) at /home/igor/m/tm/js/src/shell/js.cpp:863
#47 0x000000000040ec70 in main (argc=1, argv=0x7fffffffe5d0, envp=0x7fffffffe5e0) at /home/igor/m/tm/js/src/shell/js.cpp:5083

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this issue seems to have been fixed by bug 563243:

The first good revision is:
changeset:   41829:0f5867192284
user:        Blake Kaplan
date:        Mon May 03 15:23:01 2010 -0700
summary:     Fix bug 563243. r=jorendorff

Tested on 64-bit Ubuntu Linux.

Comment 5

[Daniel Veditz [:dveditz]]

On both 3.5 and 3.6 I see the assertions with the testcases in comment 0 and comment 3

Comment 6

[Igor Bukanov]

The bug is another demonstration of the bug 563243.