Closed Bug 702003 Opened 13 years ago Closed 13 years ago

Assertion failure: xml, at jsgcmark.cpp:268 or Crash [@ js::gc::ArenaHeader::allocated]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(1 file)

fix
4.61 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following test asserts on mozilla-central revision 50c1bcb49c76 (options -m -n -a).


var lfcode = new Array();
lfcode.push("try { \
  gczeal(2);\
  exitFunc ('test');\
  } catch(exc1) {}\
");
lfcode.push("var summary = 'Foo'; \
  var actual = 'No Crash';\
  var expect = 'No Crash';\
  test();\
  function test() {\
    try {\
      eval('(function(){ <x/>.(yield 4) })().next();');\
    }\ catch(ex) { 'Bar'; }\
  }\
");
while (true) {
        var code = lfcode.shift(); 
        if (code == undefined) { break; }
        evaluate(code);
}



Backtrace up to first EnterMethodJIT (stack is actually longer due to nested eval):

#3  0x081fd37e in JS_Assert (s=0x83bf7d7 "xml", file=0x83bf768 "/srv/repos/mozilla-central/js/src/jsgcmark.cpp", ln=268) at /srv/repos/mozilla-central/js/src/jsutil.cpp:103
#4  0x080ffb42 in js::gc::MarkXMLUnbarriered (trc=0xffff94ac, xml=0x0, name=0x83e5bf7 "cursor_root") at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:268
#5  0x080ffb98 in js::gc::MarkXML (trc=0xffff94ac, xml=..., name=0x83e5bf7 "cursor_root") at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:276
#6  0x082107a0 in JSXMLArrayCursor<JSXML>::trace (this=0x8559e9c, trc=0xffff94ac) at /srv/repos/mozilla-central/js/src/jsxml.cpp:882
#7  0x08225d91 in XMLArrayCursorTrace<JSXML> (trc=0xffff94ac, cursor=0x8559e9c) at /srv/repos/mozilla-central/js/src/jsxml.cpp:897
#8  0x08222fc9 in js_TraceXML (trc=0xffff94ac, xml=0xf7411160) at /srv/repos/mozilla-central/js/src/jsxml.cpp:7363
#9  0x08102011 in js::gc::MarkChildren (trc=0xffff94ac, xml=0xf7411160) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1035
#10 0x081020f9 in js::GCMarker::drainMarkStack (this=0xffff94ac) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1058
#11 0x080f0165 in MarkAndSweep (cx=0x8555ee8, gckind=GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:2689
#12 0x080f0431 in GCCycle (cx=0x8555ee8, comp=0x0, gckind=GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:2935
#13 0x080f06fb in js_GC (cx=0x8555ee8, comp=0x0, gckind=GC_NORMAL, reason=js::gcstats::LASTDITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3011
#14 0x080ee01f in js::gc::RunLastDitchGC (cx=0x8555ee8) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1622
#15 0x080f10fa in js::gc::RunDebugGC (cx=0x8555ee8) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3251
#16 0x080f680c in NewGCThing<JSXML> (cx=0x8555ee8, kind=js::gc::FINALIZE_XML, thingSize=104) at ../jsgcinlines.h:351
#17 0x080f1d24 in js_NewGCXML (cx=0x8555ee8) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3601
#18 0x08222cc8 in js_NewXML (cx=0x8555ee8, xml_class=JSXML_CLASS_LIST) at /srv/repos/mozilla-central/js/src/jsxml.cpp:7297
#19 0x0822311c in js_NewXMLObject (cx=0x8555ee8, xml_class=JSXML_CLASS_LIST) at /srv/repos/mozilla-central/js/src/jsxml.cpp:7384
#20 0x08224d6b in js_StepXMLListFilter (cx=0x8555ee8, initialized=0) at /srv/repos/mozilla-central/js/src/jsxml.cpp:8021
#21 0x08142efb in js::Interpret (cx=0x8555ee8, entryFrame=0xf76ea180, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:5593
#22 0x08127c30 in js::RunScript (cx=0x8555ee8, script=0xf7405310, fp=0xf76ea180) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:584
#23 0x0814decd in SendToGenerator (cx=0x8555ee8, op=JSGENOP_NEXT, obj=0xf74022e0, gen=0x855f9d0, arg=...) at /srv/repos/mozilla-central/js/src/jsiter.cpp:1343
#24 0x0814e41c in generator_op (cx=0x8555ee8, native=0x814e4a8 <generator_next(JSContext*, uintN, JS::Value*)>, op=JSGENOP_NEXT, vp=0xf76ea160, argc=0)
    at /srv/repos/mozilla-central/js/src/jsiter.cpp:1452
#25 0x0814e4e5 in generator_next (cx=0x8555ee8, argc=0, vp=0xf76ea160) at /srv/repos/mozilla-central/js/src/jsiter.cpp:1468
#26 0x081478ca in js::CallJSNative (cx=0x8555ee8, native=0x814e4a8 <generator_next(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:297
#27 0x08127e7b in js::InvokeKernel (cx=0x8555ee8, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:629
#28 0x0813885b in js::Interpret (cx=0x8555ee8, entryFrame=0xf76ea128, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:3950
#29 0x082a4768 in js::mjit::EnterMethodJIT (cx=0x8555ee8, fp=0xf76ea128, code=0xf73f1938, stackLimit=0xf7aca000, partial=false)
    at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1094


S-s for now due to GC relatedness and crash in GC function.

Note 1: The test uses evaluate to replace load to put everything into a single file (thanks for this function JS devs ^_^).

Note 2: The original test did not reproduce on every run. I initially added gczeal(4) which made it very stable, but then the minimization removed that again and the test remained stable without that zeal level.
I got this on Mac too.
OS: Linux → All
Hardware: x86_64 → All
Attached patch fixSplinter Review 
The basic problem here is that in XMLArrayCursorTrace, I changed from MarkGCThing to MarkObject/MarkXML. I forgot that MarkGCThing is okay with being passed NULL, while the other two are not. So I just added a NULL check in the caller.

However, I also realized that xml->xml_kids.cursors can be NULL, so it's not a good idea to be calling a method on it. So I fixed this as well.

I'm not sure why the cast to MarkablePtr is needed. For some reason the compiler isn't figuring out how to do it itself. It must have something to do with the caller being templated and the conversion operator from HeapPtr to MarkablePtr.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #574419 - Flags: review?(luke)
Attachment #574419 - Flags: review?(luke) → review+
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/ab38343fde83
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: