Closed Bug 698148 Opened 14 years ago Closed 14 years ago

TI: GC related crash [@ JS::Value::isMarkable]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

patch
480 bytes, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit: expect = 'Test skipped.'; function addPointImagedata(pointArray, n, col, row) { pointArray[expect + 2] = 2; } function createMandelSet() { points = new Array; for (var idx = 0; idx < 1440000 ; ++idx) { points[idx] = 0 } addPointImagedata(points, ({}, {}), 0,0) } createMandelSet();
Just to clarify, TI only (reporter script missed this in subject). Backtrace: ==57910== Invalid read of size 8 ==57910== at 0x475320: JS::Value::isMarkable() const (jsapi.h:467) ==57910== by 0x4B8F8B: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:435) ==57910== by 0x4B9145: js::gc::MarkValueRange(JSTracer*, JS::Value const*, JS::Value const*, char const*) (jsgcmark.cpp:466) ==57910== by 0x4B9196: js::gc::MarkValueRange(JSTracer*, unsigned long, JS::Value const*, char const*) (jsgcmark.cpp:473) ==57910== by 0x4AD1DA: js::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:1894) ==57910== by 0x4A8316: js::MarkContext(JSTracer*, JSContext*) (jsgc.cpp:1917) ==57910== by 0x4A84FF: js::MarkRuntime(JSTracer*) (jsgc.cpp:1944) ==57910== by 0x4A8DCD: BeginMarkPhase(JSContext*, js::GCMarker*, JSGCInvocationKind) (jsgc.cpp:2352) ==57910== by 0x4A970A: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2523) ==57910== by 0x4A99D8: GCCycle(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2770) ==57910== by 0x4A9C15: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind, js::gcstats::Reason) (jsgc.cpp:2830) ==57910== by 0x4A7620: js::gc::RunLastDitchGC(JSContext*) (jsgc.cpp:1518) ==57910== Address 0xbda000 is not stack'd, malloc'd or (recently) free'd
Summary: GC related crash [@ JS::Value::isMarkable] → TI: GC related crash [@ JS::Value::isMarkable]
As the first comment is a bit misleading: This only affects the JM branch, not m-c.
Version: Trunk → Other Branch
Attached patch patchSplinter Review
Oops, stupid bug. During makeDenseArraySlow the static emptyObjectElements array was being rooted, not the elements of the array being slowified. https://hg.mozilla.org/projects/jaegermonkey/rev/f951e9151626
Assignee: general → bhackett1024
Attachment #570555 - Flags: review?(luke)
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment on attachment 570555 [details] [diff] [review] patch Ghastly
Attachment #570555 - Flags: review?(luke) → review+
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: