Last Comment Bug 698148 - TI: GC related crash [@ JS::Value::isMarkable]
: TI: GC related crash [@ JS::Value::isMarkable]
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-10-28 16:37 PDT by Christian Holler (:decoder)
Modified: 2013-02-07 05:20 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
patch (480 bytes, patch)
2011-10-30 08:53 PDT, Brian Hackett (:bhackett) 		luke: review+
Details | Diff | Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description Christian Holler (:decoder) 2011-10-28 16:37:51 PDT 
The following testcase crashes on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit:


expect = 'Test skipped.';
function addPointImagedata(pointArray, n, col, row) {
    pointArray[expect + 2] = 2;
}
function createMandelSet() {
    points = new Array;
    for (var idx = 0; idx < 1440000 ; ++idx) {
    	points[idx] = 0
    }
    addPointImagedata(points, ({}, {}), 0,0)
}
createMandelSet();
Comment 1 Christian Holler (:decoder) 2011-10-28 16:39:09 PDT 
Just to clarify, TI only (reporter script missed this in subject). Backtrace:


==57910== Invalid read of size 8
==57910==    at 0x475320: JS::Value::isMarkable() const (jsapi.h:467)
==57910==    by 0x4B8F8B: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:435)
==57910==    by 0x4B9145: js::gc::MarkValueRange(JSTracer*, JS::Value const*, JS::Value const*, char const*) (jsgcmark.cpp:466)
==57910==    by 0x4B9196: js::gc::MarkValueRange(JSTracer*, unsigned long, JS::Value const*, char const*) (jsgcmark.cpp:473)
==57910==    by 0x4AD1DA: js::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:1894)
==57910==    by 0x4A8316: js::MarkContext(JSTracer*, JSContext*) (jsgc.cpp:1917)
==57910==    by 0x4A84FF: js::MarkRuntime(JSTracer*) (jsgc.cpp:1944)
==57910==    by 0x4A8DCD: BeginMarkPhase(JSContext*, js::GCMarker*, JSGCInvocationKind) (jsgc.cpp:2352)
==57910==    by 0x4A970A: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2523)
==57910==    by 0x4A99D8: GCCycle(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2770)
==57910==    by 0x4A9C15: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind, js::gcstats::Reason) (jsgc.cpp:2830)
==57910==    by 0x4A7620: js::gc::RunLastDitchGC(JSContext*) (jsgc.cpp:1518)
==57910==  Address 0xbda000 is not stack'd, malloc'd or (recently) free'd
Comment 2 Christian Holler (:decoder) 2011-10-28 17:57:44 PDT 
As the first comment is a bit misleading: This only affects the JM branch, not m-c.
Comment 3 Brian Hackett (:bhackett) 2011-10-30 08:53:37 PDT 
Created attachment 570555 [details] [diff] [review]
patch

Oops, stupid bug.  During makeDenseArraySlow the static emptyObjectElements array was being rooted, not the elements of the array being slowified.

https://hg.mozilla.org/projects/jaegermonkey/rev/f951e9151626
Comment 4 Luke Wagner [:luke] 2011-11-08 16:21:37 PST 
Comment on attachment 570555 [details] [diff] [review]
patch

Ghastly
Comment 5 Christian Holler (:decoder) 2013-02-07 05:20:40 PST 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Note You need to log in before you can comment on or make changes to this bug.