Closed
Bug 590088
Opened 14 years ago
Closed 14 years ago
JM: Crash [@ js::Mark] or "Assertion failure: thing,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(4 keywords)
Crash Data
Attachments
(1 file, 1 obsolete file)
11.40 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Function("var a=e=(function(){*::*}).prototype")() gc() crashes js opt shell on JM changeset e42b505b43f3 with -m but without -j at js::Mark and asserts js debug shell at Assertion failure: thing, at ../jsgc.cpp:2115 (gdb) bt #0 0x00056e03 in js::Mark () #1 0x00080130 in js_TraceObject () #2 0x000570b6 in js::Mark () #3 0x00055da1 in JS_TraceChildren () #4 0x000570b6 in js::Mark () #5 0x00080130 in js_TraceObject () #6 0x000570b6 in js::Mark () #7 0x00055da1 in JS_TraceChildren () #8 0x000570b6 in js::Mark () #9 0x00055d86 in JS_TraceChildren () #10 0x000570b6 in js::Mark () #11 0x00055d86 in JS_TraceChildren () #12 0x000570b6 in js::Mark () #13 0x00057c23 in js::MarkConservativeStackRoots () #14 0x00057f0b in js_TraceRuntime () #15 0x000588d7 in js_GC () #16 0x00010767 in JS_GC () #17 0x000066b3 in GC () #18 0x001d5a07 in js::mjit::stubs::SlowCall () #19 0x002d7557 in ?? () #20 0x00189152 in js::mjit::JaegerShot () #21 0x0006fdb1 in js::Execute () #22 0x00014bb8 in JS_ExecuteScript () #23 0x0000564c in Process () #24 0x000093c7 in shell () #25 0x000098f8 in main () (gdb) x/i $eip 0x56e03 <_ZN2js4MarkEP8JSTracerPvj+147>: mov %edx,(%esi) (gdb) x/b $edx 0x85000001: Cannot access memory at address 0x85000001 (gdb) x/b $esi 0xfa000 <_ZL10str_searchP9JSContextjPN2js5ValueE+896>: 0x00
Assignee | ||
Comment 1•14 years ago
|
||
Great bug. JM is putting garbage in the call object. Two options: 1) conservatively scan the slots, and 2) only copy slots that can escape (leaving the rest undefined). This patch takes the second approach as I think long-term it will lead to more optimal code. Block objects probably have the same bug, I will file a follow-up.
Comment 2•14 years ago
|
||
Comment on attachment 468881 [details] [diff] [review] fix Just to make sure I understand the cause, the copying part doesn't work because the slots are not necessarily up to date, in particular if they are constants? And you fixed it this way instead of making sure the slots are flushed because flushing the slots would slow us down?
Attachment #468881 -
Flags: review?(dmandelin) → review+
Assignee | ||
Comment 3•14 years ago
|
||
> the slots are not necessarily up to date
Yes, though in this case, slots we don't care about - ones that can't escape. The call object copies them all blindly. JM doesn't sync unescaping slots, so they are garbage memory.
Comment 4•14 years ago
|
||
(In reply to comment #3) > > the slots are not necessarily up to date > > Yes, though in this case, slots we don't care about - ones that can't escape. > The call object copies them all blindly. JM doesn't sync unescaping slots, so > they are garbage memory. Got it. Thanks.
Assignee | ||
Comment 5•14 years ago
|
||
Landed, but then backed out due to reftest failure.
Comment 6•14 years ago
|
||
The problem was that the new CALLS_EVAL function/script bit introduced for strict mode arguments is only propagated upward (to parents of closures) if both are strict mode. But the way we use that function in JM requires it to propagate always. In particular, for this bug, we need to copy all values into call objects on function exit if eval is called transitively, because any eval at any level down could access any local variable.
Attachment #468881 -
Attachment is obsolete: true
Attachment #470066 -
Flags: review?(dvander)
Assignee | ||
Comment 7•14 years ago
|
||
Comment on attachment 470066 [details] [diff] [review] Patch, revised to fix the bug that bounced it off tinderbox Nice find, thanks!
Attachment #470066 -
Flags: review?(dvander) → review+
Comment 8•14 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/145621513207
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::Mark]
You need to log in
before you can comment on or make changes to this bug.
Description
•