Closed
Bug 633513
Opened 15 years ago
Closed 2 years ago
ARM-Linux: segfault during js_free (heap corruption?)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jseward, Unassigned)
Details
This is for a build of M-C of 12 Feb 2011, on arm-linux (Ubuntu 10.04.1),
built for Firefox, not Fennec. [but assuming this is jsengine related,
that shouldn't matter, right?]
After some time it segfaults as below. STR to follow.
I have seen this twice now on ARM Linux.
Not on x86 or x86_64 Linux though.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x448643d0 (LWP 10766)]
*__GI___libc_free (mem=0x6700) at malloc.c:3709
3709 malloc.c: No such file or directory.
in malloc.c
(gdb) where
#0 *__GI___libc_free (mem=0x6700) at malloc.c:3709
#1 0x40d3b866 in js_free (this=0x2213f0) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/jsutil.h:222
#2 js::GCHelperThread::freeElementsAndArray (this=0x2213f0) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/jsgc.h:903
#3 js::GCHelperThread::doSweep (this=0x2213f0) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/jsgc.cpp:2138
#4 0x40d3b8ba in js::GCHelperThread::threadLoop (this=0x2213f0, rt=0x221280) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/jsgc.cpp:2083
#5 0x40d3b908 in js::GCHelperThread::threadMain (arg=0x40d3b867) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/jsgc.cpp:2066
#6 0x412e875a in _pt_root (arg=<value optimized out>) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/nsprpub/pr/src/pthreads/ptthread.c:187
#7 0x4003819a in start_thread (arg=<value optimized out>) at pthread_create.c:302
#8 0x41c34b38 in clone () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:105
#9 0x41c34b38 in clone () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:105
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
Reporter | |
Comment 1•15 years ago
|
||
STR: load 4 tabs as below, with bbc news displayed, and idle for ~1/2 hour
with GDB attached. Segfaults.
* http://techcrunch.com
* http://www.cad-comic.com/cad
* http://www.cad-comic.com/cad/20021211
* http://www.bbc.co.uk/news
|
|
Reporter | |
Comment 2•15 years ago
|
||
Here's another:
Program received signal SIGSEGV, Segmentation fault.
JSC::ARMAssembler::patchPointerInternal (f=..., ic=0x5cb1e40) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/assembler/assembler/ARMAssembler.h:1013
1013 ARMWord* addr = getLdrImmAddress(insn);
(gdb) p insn
$1 = (JSC::ARMWord *) 0x0
(gdb) where
#0 JSC::ARMAssembler::patchPointerInternal (f=..., ic=0x5cb1e40) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/assembler/assembler/ARMAssembler.h:1013
#1 JSC::ARMAssembler::repatchInt32 (f=..., ic=0x5cb1e40) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/assembler/assembler/ARMAssembler.h:1043
#2 JSC::AbstractMacroAssembler<JSC::ARMAssembler>::repatchInt32 (f=..., ic=0x5cb1e40)
at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/assembler/assembler/AbstractMacroAssembler.h:588
#3 JSC::RepatchBuffer::repatch (f=..., ic=0x5cb1e40) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/assembler/assembler/RepatchBuffer.h:110
#4 js::mjit::ic::GetGlobalName (f=..., ic=0x5cb1e40) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/methodjit/MonoIC.cpp:105
#5 0x40def43a in JaegerStubVeneer () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
#6 0x40def43a in JaegerStubVeneer () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
|
Reporter | |
Comment 3•15 years ago
|
||
Program received signal SIGSEGV, Segmentation fault.
0x40e23d40 in EqualityCompiler::update() () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
(gdb) disp /i $pc
1: x/i $pc
=> 0x40e23d40 <_ZN16EqualityCompiler6updateEv+1188>: str r0, [r3, #0]
(gdb) p/x $r3
$1 = 0x47469659
(gdb) where
#0 0x40e23d40 in EqualityCompiler::update() () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
#1 0x40e21682 in js::mjit::ic::Equality (f=..., ic=0x51f0000) at /import/zazenhausen/sewardj/jrs/MOZ/MC-10-02-2011/js/src/methodjit/MonoIC.cpp:392
#2 0x40def43a in JaegerStubVeneer () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
#3 0x40def43a in JaegerStubVeneer () from /home/sewardj/jrs/MOZ/MC-10-02-2011/ff-opt/toolkit/library/libxul.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
|
Reporter | |
Comment 4•15 years ago
|
||
I tried the change below, as spotted by Nick and OK'd by Jacob, but
the segfaults are still present.
--- a/js/src/methodjit/BaseCompiler.h Wed Feb 09 16:16:12 2011 -0800
+++ b/js/src/methodjit/BaseCompiler.h Mon Feb 14 18:33:32 2011 +0100
@@ -168,8 +168,8 @@
if (!ep)
return ep;
+ m_code = executableCopy(masm, ep);
m_size = masm.size();
- m_code = executableCopy(masm, ep);
if (!m_code) {
ep->release();
js_ReportOutOfMemory(cx);
|
Assignee | |
Updated•11 years ago
|
Assignee: general → nobody
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•