TI: GC related crash [@ JS::Value::isMarkable]

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
6 years ago
Modified:
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Version:
Other Branch
x86_64
Linux
Keywords:
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

patch
480 bytes, patch
luke
: review+
Details | Diff | Splinter Review
(Reporter)

Description

6 years ago 
The following testcase crashes on jaegermonkey revision b01eb1ba58ce (run with -m -n), tested on 64 bit:


expect = 'Test skipped.';
function addPointImagedata(pointArray, n, col, row) {
    pointArray[expect + 2] = 2;
}
function createMandelSet() {
    points = new Array;
    for (var idx = 0; idx < 1440000 ; ++idx) {
    	points[idx] = 0
    }
    addPointImagedata(points, ({}, {}), 0,0)
}
createMandelSet();
(Reporter)

Comment 1

6 years ago 
Just to clarify, TI only (reporter script missed this in subject). Backtrace:


==57910== Invalid read of size 8
==57910==    at 0x475320: JS::Value::isMarkable() const (jsapi.h:467)
==57910==    by 0x4B8F8B: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:435)
==57910==    by 0x4B9145: js::gc::MarkValueRange(JSTracer*, JS::Value const*, JS::Value const*, char const*) (jsgcmark.cpp:466)
==57910==    by 0x4B9196: js::gc::MarkValueRange(JSTracer*, unsigned long, JS::Value const*, char const*) (jsgcmark.cpp:473)
==57910==    by 0x4AD1DA: js::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:1894)
==57910==    by 0x4A8316: js::MarkContext(JSTracer*, JSContext*) (jsgc.cpp:1917)
==57910==    by 0x4A84FF: js::MarkRuntime(JSTracer*) (jsgc.cpp:1944)
==57910==    by 0x4A8DCD: BeginMarkPhase(JSContext*, js::GCMarker*, JSGCInvocationKind) (jsgc.cpp:2352)
==57910==    by 0x4A970A: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2523)
==57910==    by 0x4A99D8: GCCycle(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2770)
==57910==    by 0x4A9C15: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind, js::gcstats::Reason) (jsgc.cpp:2830)
==57910==    by 0x4A7620: js::gc::RunLastDitchGC(JSContext*) (jsgc.cpp:1518)
==57910==  Address 0xbda000 is not stack'd, malloc'd or (recently) free'd
Summary: GC related crash [@ JS::Value::isMarkable] → TI: GC related crash [@ JS::Value::isMarkable]
 (Reporter)

Comment 2

6 years ago 
As the first comment is a bit misleading: This only affects the JM branch, not m-c.
 (Reporter)

Updated

6 years ago
Version: Trunk → Other Branch
 (Assignee)

Comment 3

6 years ago 
Created attachment 570555 [details] [diff] [review]
patch

Oops, stupid bug.  During makeDenseArraySlow the static emptyObjectElements array was being rooted, not the elements of the array being slowified.

https://hg.mozilla.org/projects/jaegermonkey/rev/f951e9151626
Assignee: general → bhackett1024
Attachment #570555 - Flags: review?(luke)
 (Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 4

6 years ago 
Comment on attachment 570555 [details] [diff] [review]
patch

Ghastly
Attachment #570555 - Flags: review?(luke) → review+
 (Reporter)

Comment 5

4 years ago 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/2e891e0db397
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.