Closed
Bug 639311
Opened 14 years ago
Closed 14 years ago
TI: Crash [@ js::types::SweepTypeObjectList]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [ccbr] fixed-in-jaegermonkey)
Crash Data
try {
Reflparse("")
} catch(e) {}
Reflect.parse("for(var a;a;j){if(a%2==0){c()}}")
try {
(function() {
for (a = 0;; j) {
gc()
}
})()
} catch(e) {
delete this.Math
}
gc()
Reflect.parse("let(x){}")
gc()
crashes js opt shell on JM changeset a0812f46f7ba without -m nor -j at js::types::SweepTypeObjectList but does not seem to do anything bad in debug shell.
===
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x07af0014
0x00097e64 in js::types::SweepTypeObjectList ()
(gdb) bt
#0 0x00097e64 in js::types::SweepTypeObjectList ()
#1 0x00046cc4 in JSCompartment::sweep ()
#2 0x00091884 in GCUntilDone ()
#3 0x00091e8e in js_GC ()
#4 0x000160c2 in JS_GC ()
#5 0x000076e9 in GC ()
#6 0x000b5169 in js::Interpret ()
#7 0x000c9e1c in js::RunScript ()
#8 0x000cc173 in js::Execute ()
#9 0x0001bd88 in JS_ExecuteScript ()
#10 0x00006e0c in Process ()
#11 0x0000c810 in Shell ()
#12 0x0000ce1c in main ()
(gdb) x/i $pc
0x97e64 <_ZN2js5types19SweepTypeObjectListEP9JSContextRPNS0_10TypeObjectE+52>: cmpb $0x0,0x9(%eax)
(gdb) x/b $eax
0x7af000b: Cannot access memory at address 0x7af000b
|
||
Comment 1•14 years ago
|
||
I can't reproduce this crash, but I ran under valgrind and there's a fairly egregious use-after-free bug in that function, where we try to walk arbitrary TypeObjects as they are being swept. This also fixes a memory leak where some constraints were not being freed while sweeping.
http://hg.mozilla.org/projects/jaegermonkey/rev/ae418087b4da
Gary, can you confirm this fixes the crash?
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 57065:0cd7e38f0b39
user: Brian Hackett
date: Fri Oct 29 08:05:55 2010 -0700
summary: [INFER] Javascript type inference, bug 557407.
ok, will recheck, btw, the testcase in comment #0 has to be passed in as a CLI argument.
|
|
Reporter | |
Comment 3•14 years ago
|
||
Yes, the crash is fixed!
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [ccbr] → [ccbr] fixed-in-jaegermonkey
|
||
Updated•14 years ago
|
Crash Signature: [@ js::types::SweepTypeObjectList]
|
||
Comment 4•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug639311.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•