Closed Bug 704302 Opened 14 years ago Closed 4 years ago

Crash in JS_DeepFreezeObject on PPC64

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
7 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: walters, Unassigned)

References

Details

(Keywords: crash)

Attachments

(1 file)

GDB session
20.65 KB, text/plain
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1 Build ID: 20110930134335 Steps to reproduce: Build js-185 on Fedora 16/PPC64 with --enable-threadsafe --with-system-nspr. Actual results: The test suite crashes in jsapi-tests/testDeepFreeze.cpp:testDeepFreeze_deep Expected results: I think this has something to do with freezing the object corrupting it, and then when the GC starts walking the object set it encounters the corrupted object.
See also bugzilla.redhat.com/749604
To clarify, commenting out both deep freeze tests, all the other tests then pass. I'll try to attach a stack trace.
Attached file GDB session
Severity: normal → critical
Keywords: crash
See Also: → https://bugzilla.redhat.com/show_bug.cgi?id=749604
Program received signal SIGSEGV, Segmentation fault. 0x00000000101df4c8 in js::gc::MarkId (trc=0x0, id=0) at jsgcinlines.h:540 Based on the above, and the huge number of stack frames, I'm thinking maybe the deep freeze is recurring infinitely, then OOMing, putting a NULL somewhere because of the OOM, and then crashing when marking that.
JS_DeepFreezeObject is a fundamentally dangerous API that I don't think we should have, because it necessarily consumes stack proportional to the "depth" of the object being frozen. It seems better to me for applications to freeze objects one at a time, and to handle freezing the values of properties in a separate pass, in whatever way makes most sense to the application. I'm pretty sure I expressed this when changing JS_SealObject to JS_FreezeObject, but someone(ish) objected to the removal because we already provided a broken API and should keep providing it even if broken.
Well, I shouldn't say "necessarily". What I mean is that there's risk of a partially-frozen-tree that only the application can really know how to handle, and the way it seems likely to handle it requires knowledge of when such freezing failed. So having the user write the recursion and freezing logic seems best.
Assignee: general → nobody

Hi! I am closing this issue with Resolved-Worksforme since there were no changes made in the past 10 years. If the issue is still available please feel free to reopen it.
Thanks!

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: