703544 - Crash [@ JS::Value::isMarkable]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test crashes on mozilla-central revision b62e6ee5ba9b (options -m -a -n):


gczeal(4);
function testInterpreterReentry7() {
    var arr = [0, 1, 2, 3, 4];
    for (var i = (1); i < 5; i++)
        arr[i] = "grue";
}
assertEq(testInterpreterReentry7(), "grue bleen");


Backtrace:

==9568== Invalid read of size 4
==9568==    at 0x8058C45: JS::Value::isMarkable() const (jsapi.h:467)
==9568==    by 0x8100CD8: js::gc::MarkValueRaw(JSTracer*, JS::Value const&) (jsgcmark.cpp:462)
==9568==    by 0x8100D72: js::gc::MarkValueUnbarriered(JSTracer*, JS::Value const&, char const*) (jsgcmark.cpp:472)
==9568==    by 0x839B4B2: js::mjit::stubs::WriteBarrier(js::VMFrame&, JS::Value*) (StubCalls.cpp:2558)
==9568==    by 0x4C738DE: ???
==9568==    by 0x8523FF3: ??? (in /srv/repos/mozilla-central/js/src/debug32/shell/js)
==9568==  Address 0x56136c8c is not stack'd, malloc'd or (recently) free'd


This is gczeal(4) only, therefore I assume it's related to incremental GC and not s-s until incremental GC lands.

Comment 1

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: fix

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 575607 [details] [diff] [review]
fix

Sometimes I hate bugzilla and it's stupid behavior when you hit enter in the wrong place.

Comment 3

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 575607 [details] [diff] [review]
fix

Well, good enough I guess.

Comment 4

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/88086bed7f10

Comment 5

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/88086bed7f10

Comment 6

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug703544.js.