Status
()
People
(Reporter: decoder, Assigned: bhackett)
Tracking
(Blocks: 2 bugs, {crash, testcase})
Firefox Tracking Flags
(Not tracked)
Details
(crash signature)
Attachments
(1 attachment)
|
480 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit:
expect = 'Test skipped.';
function addPointImagedata(pointArray, n, col, row) {
pointArray[expect + 2] = 2;
}
function createMandelSet() {
points = new Array;
for (var idx = 0; idx < 1440000 ; ++idx) {
points[idx] = 0
}
addPointImagedata(points, ({}, {}), 0,0)
}
createMandelSet();
|
(Reporter) | |
Comment 1•7 years ago
|
||
Just to clarify, TI only (reporter script missed this in subject). Backtrace: ==57910== Invalid read of size 8 ==57910== at 0x475320: JS::Value::isMarkable() const (jsapi.h:467) ==57910== by 0x4B8F8B: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:435) ==57910== by 0x4B9145: js::gc::MarkValueRange(JSTracer*, JS::Value const*, JS::Value const*, char const*) (jsgcmark.cpp:466) ==57910== by 0x4B9196: js::gc::MarkValueRange(JSTracer*, unsigned long, JS::Value const*, char const*) (jsgcmark.cpp:473) ==57910== by 0x4AD1DA: js::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:1894) ==57910== by 0x4A8316: js::MarkContext(JSTracer*, JSContext*) (jsgc.cpp:1917) ==57910== by 0x4A84FF: js::MarkRuntime(JSTracer*) (jsgc.cpp:1944) ==57910== by 0x4A8DCD: BeginMarkPhase(JSContext*, js::GCMarker*, JSGCInvocationKind) (jsgc.cpp:2352) ==57910== by 0x4A970A: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2523) ==57910== by 0x4A99D8: GCCycle(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2770) ==57910== by 0x4A9C15: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind, js::gcstats::Reason) (jsgc.cpp:2830) ==57910== by 0x4A7620: js::gc::RunLastDitchGC(JSContext*) (jsgc.cpp:1518) ==57910== Address 0xbda000 is not stack'd, malloc'd or (recently) free'd
Summary: GC related crash [@ JS::Value::isMarkable] → TI: GC related crash [@ JS::Value::isMarkable]
|
|
(Reporter) | |
Comment 2•7 years ago
|
||
As the first comment is a bit misleading: This only affects the JM branch, not m-c.
|
|
(Reporter) | |
Updated•7 years ago
|
Version: Trunk → Other Branch
|
(Assignee) | |
Comment 3•7 years ago
|
||
Created attachment 570555 [details] [diff] [review] patch Oops, stupid bug. During makeDenseArraySlow the static emptyObjectElements array was being rooted, not the elements of the array being slowified. https://hg.mozilla.org/projects/jaegermonkey/rev/f951e9151626
Assignee: general → bhackett1024
Attachment #570555 -
Flags: review?(luke)
|
|
(Assignee) | |
Updated•7 years ago
|
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
|
||
Comment 4•7 years ago
|
||
Comment on attachment 570555 [details] [diff] [review] patch Ghastly
Attachment #570555 -
Flags: review?(luke) → review+
|
|
(Reporter) | |
Comment 5•6 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•