Closed
Bug 698148
Opened 11 years ago
Closed 11 years ago
TI: GC related crash [@ JS::Value::isMarkable]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
480 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit:
expect = 'Test skipped.';
function addPointImagedata(pointArray, n, col, row) {
pointArray[expect + 2] = 2;
}
function createMandelSet() {
points = new Array;
for (var idx = 0; idx < 1440000 ; ++idx) {
points[idx] = 0
}
addPointImagedata(points, ({}, {}), 0,0)
}
createMandelSet();
|
Reporter | |
Comment 1•11 years ago
|
||
Just to clarify, TI only (reporter script missed this in subject). Backtrace: ==57910== Invalid read of size 8 ==57910== at 0x475320: JS::Value::isMarkable() const (jsapi.h:467) ==57910== by 0x4B8F8B: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:435) ==57910== by 0x4B9145: js::gc::MarkValueRange(JSTracer*, JS::Value const*, JS::Value const*, char const*) (jsgcmark.cpp:466) ==57910== by 0x4B9196: js::gc::MarkValueRange(JSTracer*, unsigned long, JS::Value const*, char const*) (jsgcmark.cpp:473) ==57910== by 0x4AD1DA: js::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:1894) ==57910== by 0x4A8316: js::MarkContext(JSTracer*, JSContext*) (jsgc.cpp:1917) ==57910== by 0x4A84FF: js::MarkRuntime(JSTracer*) (jsgc.cpp:1944) ==57910== by 0x4A8DCD: BeginMarkPhase(JSContext*, js::GCMarker*, JSGCInvocationKind) (jsgc.cpp:2352) ==57910== by 0x4A970A: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2523) ==57910== by 0x4A99D8: GCCycle(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2770) ==57910== by 0x4A9C15: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind, js::gcstats::Reason) (jsgc.cpp:2830) ==57910== by 0x4A7620: js::gc::RunLastDitchGC(JSContext*) (jsgc.cpp:1518) ==57910== Address 0xbda000 is not stack'd, malloc'd or (recently) free'd
Summary: GC related crash [@ JS::Value::isMarkable] → TI: GC related crash [@ JS::Value::isMarkable]
|
|
Reporter | |
Comment 2•11 years ago
|
||
As the first comment is a bit misleading: This only affects the JM branch, not m-c.
|
|
Reporter | |
Updated•11 years ago
|
Version: Trunk → Other Branch
|
Assignee | |
Comment 3•11 years ago
|
||
Oops, stupid bug. During makeDenseArraySlow the static emptyObjectElements array was being rooted, not the elements of the array being slowified. https://hg.mozilla.org/projects/jaegermonkey/rev/f951e9151626
Assignee: general → bhackett1024
Attachment #570555 -
Flags: review?(luke)
|
|
Assignee | |
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 4•11 years ago
|
||
Comment on attachment 570555 [details] [diff] [review] patch Ghastly
Attachment #570555 -
Flags: review?(luke) → review+
|
|
Reporter | |
Comment 5•10 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•