Closed Bug 647183 Opened 14 years ago Closed 14 years ago

TI: Crash [@js::types::TypeSet::destroy] // GC related Memory corruption

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Valgrind log for 64bit
12.32 KB, text/plain
Details
Attached file Valgrind log for 64bit
The following testcase crashes on TI tip (run with -n -m -a), tested on 64 bit: var SECTION = ""; var VERSION = ""; function test() {} function writeTestCaseResult( expect, actual, string ) { if (typeof document != "object" || !document.location.href.match(/jsreftest.html/)) { } } TIME_0000 = now = new Date; TIME_NOW = now.valueOf(); function DaysInYear( y ) { function MakeDate( day, time ) { } } function TimeClip( t ) { if ( isNaN ) { Number.NaN; } } function runDSTOffsetCachingTestsFraction(part, parts) { print; }; test_times=( TIME_NOW, TIME_0000, ( SECTION, VERSION+".getUTCMinutes()", TIME_NOW.test_times,VERSION.SECTION ) , TIME_1900, TIME_2000, UTC_FEB_29_2000, UTC_JAN_1_2005 ); j = 0( SECTION, TimeClip(1.1), TZ_ADJUST ); Backtrace (looks like a gc related memory corruption): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fae47a72720 (LWP 9838)] 0x00000000004eaedd in js::types::TypeSet::destroy (this=0x1298df8, cx=0x1210bf0) at ./jsinferinlines.h:1013 1013 if (constraintList->condensed() || constraintList->baseSubset()) (gdb) bt #0 0x00000000004eaedd in js::types::TypeSet::destroy (this=0x1298df8, cx=0x1210bf0) at ./jsinferinlines.h:1013 #1 0x00000000004e89a2 in DestroyProperty (cx=0x1210bf0, prop=0x1298dd0) at jsinfer.cpp:4436 #2 0x00000000004e8a90 in SweepTypeObjectList (cx=0x1210bf0, objects=@0x1211480) at jsinfer.cpp:4459 #3 0x00000000004e8eca in js::types::TypeCompartment::sweep (this=0x1211480, cx=0x1210bf0) at jsinfer.cpp:4531 #4 0x00000000004720dd in JSCompartment::sweep (this=0x1211130, cx=0x1210bf0, releaseInterval=0) at jscompartment.cpp:591 #5 0x00000000004c33f0 in SweepCrossCompartmentWrappers (cx=0x1210bf0) at jsgc.cpp:2166 #6 0x00000000004c3df0 in MarkAndSweep (cx=0x1210bf0, gckind=GC_LAST_CONTEXT) at jsgc.cpp:2463 #7 0x00000000004c4215 in GCUntilDone (cx=0x1210bf0, comp=0x0, gckind=GC_LAST_CONTEXT) at jsgc.cpp:2750 #8 0x00000000004c43f9 in js_GC (cx=0x1210bf0, comp=0x0, gckind=GC_LAST_CONTEXT) at jsgc.cpp:2819 #9 0x0000000000469f6f in js_DestroyContext (cx=0x1210bf0, mode=JSDCM_FORCE_GC) at jscntxt.cpp:1094 #10 0x0000000000429214 in JS_DestroyContext (cx=0x1210bf0) at jsapi.cpp:1002 #11 0x0000000000410a52 in DestroyContext (cx=0x1210bf0, withGC=true) at js.cpp:5626 #12 0x00000000004111bb in main (argc=5, argv=0x7fffe0fc8cb0, envp=0x7fffe0fc8ce0) at js.cpp:5902
Memory corruption from uses of ICs after a recompilation triggered by ValueToObject (the GC is never invoked in this test). The only way this can happen is if the ValueToObject initializes a primitive Number/Boolean/String class (so that making these core classes non-lazy would simplify this PIC logic). http://hg.mozilla.org/projects/jaegermonkey/rev/c6bed35e308d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@js::types::TypeSet::destroy]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug647183.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: