Closed Bug 673797 Opened 13 years ago Closed 13 years ago

TI: GC related crash [@ TypeConstraintCall::newType]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 9b9fd467eb5f (run with -j -m -n), tested on 64 bit:


function printBugNumber (num) {}
gczeal(2);
for (let q = 0; "arguments[0] = 17"? printBugNumber: ''; ++q) {
    new Function("for (var i = 0; i < 5; ++i) { } ")();
}
Valgrind Backtrace:

==30738== Invalid read of size 8
==30738==    at 0x4DFD56: TypeConstraintCall::newType(JSContext*, js::types::TypeSet*, js::types::Type) (jsinfer.cpp:1100)
==30738==    by 0x43F440: js::types::TypeCompartment::resolvePending(JSContext*) (jsinferinlines.h:794)
==30738==    by 0x4EFBC3: js::types::TypeSet::add(JSContext*, js::types::TypeConstraint*, bool) (jsinfer.cpp:408)
==30738==    by 0x4DED8B: js::types::TypeSet::addCall(JSContext*, js::types::TypeCallsite*) (jsinfer.cpp:593)
==30738==    by 0x4E6C1E: js::analyze::ScriptAnalysis::analyzeTypesBytecode(JSContext*, unsigned int, js::analyze::ScriptAnalysis::TypeInferenceState&) (jsinfer.cpp:3603)
==30738==    by 0x4E7A2E: js::analyze::ScriptAnalysis::analyzeTypes(JSContext*) (jsinfer.cpp:3915)
==30738==    by 0x4EF7A3: JSScript::ensureRanInference(JSContext*) (jsinferinlines.h:1349)
==30738==    by 0x6A97DA: js::mjit::Compiler::checkAnalysis(JSScript*) (Compiler.cpp:188)
==30738==    by 0x6AA5C4: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:508)
==30738==    by 0x6A96A7: js::mjit::Compiler::compile() (Compiler.cpp:160)
==30738==    by 0x6AB329: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:626)
==30738==    by 0x78BDCC: js::mjit::CanMethodJITAtBranch(JSContext*, JSScript*, js::StackFrame*, unsigned char*) (MethodJIT-inl.h:113)
==30738==  Address 0x5efb4e0 is 176 bytes inside a block of size 298 free'd
==30738==    at 0x4C270BD: free (vg_replace_malloc.c:366)
==30738==    by 0x404279: js_free (jsutil.h:251)
==30738==    by 0x413791: js::Foreground::free_(void*) (jsutil.h:493)
==30738==    by 0x43D0FB: JSRuntime::free_(void*) (jscntxt.h:730)
==30738==    by 0x43D59A: JSContext::free_(void*) (jscntxt.h:1263)
==30738==    by 0x5AD6B3: DestroyScript(JSContext*, JSScript*) (jsscript.cpp:1412)
==30738==    by 0x5AD779: js_DestroyScriptFromGC(JSContext*, JSScript*) (jsscript.cpp:1428)
==30738==    by 0x4B9B32: fun_finalize(JSContext*, JSObject*) (jsfun.cpp:1765)
==30738==    by 0x4C75FC: JSObject::finalize(JSContext*) (jsobjinlines.h:189)
==30738==    by 0x4D2439: bool js::gc::Arena::finalize<JSFunction>(JSContext*) (jsgc.cpp:245)
==30738==    by 0x4C6560: void js::gc::FinalizeArenas<JSFunction>(JSContext*, js::gc::ArenaHeader**) (jsgc.cpp:288)
==30738==    by 0x4CC20A: void js::gc::ArenaList::finalizeNow<JSFunction>(JSContext*) (jsgc.cpp:1248)

==30738== Invalid read of size 2
==30738==    at 0x4DFD5D: TypeConstraintCall::newType(JSContext*, js::types::TypeSet*, js::types::Type) (jsinfer.cpp:1100)
==30738==    by 0x43F440: js::types::TypeCompartment::resolvePending(JSContext*) (jsinferinlines.h:794)
==30738==    by 0x4EFBC3: js::types::TypeSet::add(JSContext*, js::types::TypeConstraint*, bool) (jsinfer.cpp:408)
==30738==    by 0x4DED8B: js::types::TypeSet::addCall(JSContext*, js::types::TypeCallsite*) (jsinfer.cpp:593)
==30738==    by 0x4E6C1E: js::analyze::ScriptAnalysis::analyzeTypesBytecode(JSContext*, unsigned int, js::analyze::ScriptAnalysis::TypeInferenceState&) (jsinfer.cpp:3603)
==30738==    by 0x4E7A2E: js::analyze::ScriptAnalysis::analyzeTypes(JSContext*) (jsinfer.cpp:3915)
==30738==    by 0x4EF7A3: JSScript::ensureRanInference(JSContext*) (jsinferinlines.h:1349)
==30738==    by 0x6A97DA: js::mjit::Compiler::checkAnalysis(JSScript*) (Compiler.cpp:188)
==30738==    by 0x6AA5C4: js::mjit::Compiler::performCompilation(js::mjit::JITScript**) (Compiler.cpp:508)
==30738==    by 0x6A96A7: js::mjit::Compiler::compile() (Compiler.cpp:160)
==30738==    by 0x6AB329: js::mjit::TryCompile(JSContext*, js::StackFrame*) (Compiler.cpp:626)
==30738==    by 0x78BDCC: js::mjit::CanMethodJITAtBranch(JSContext*, JSScript*, js::StackFrame*, unsigned char*) (MethodJIT-inl.h:113)
==30738==  Address 0xdadadadadadadb32 is not stack'd, malloc'd or (recently) free'd
Crash Signature: [@ TypeConstraintCall::newType]
Since the conservative GC can now pick up references to TypeObjects without the JSObjects they represent, we additionally need to make sure the functionScript for a scripted TypeObject is held as a strong reference.

http://hg.mozilla.org/projects/jaegermonkey/rev/4c2a1bf1b1ca
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.