Last Comment Bug 708228 - Infinite recursion crash [@ regexp_trace] with incremental GC
: Infinite recursion crash [@ regexp_trace] with incremental GC
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla11
Assigned To: [PTO to Dec5] Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
: 708803 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-12-07 05:34 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:10 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (1.03 KB, patch)
2011-12-14 10:38 PST, [PTO to Dec5] Bill McCloskey (:billm)
cdleary: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-12-07 05:34:46 PST
The following test crashes on mozilla-central revision fafaf614791f (no options required):


gczeal(4);
var g_rx = /(?:)/;
(3).replace(g_rx.compile("test", "g"), {});


The crash is an infinite recursion with the following repeating part:

#88 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#89 0x0000000000443bb2 in JSObject::privateWriteBarrierPre (this=0x7ffff60088e0, old=0x7ffff6008938) at ../jsobjinlines.h:2114
#90 0x000000000044302f in JSObject::setPrivate (this=0x7ffff60088e0, data=0x0) at ../jsobjinlines.h:113
#91 0x000000000065bb0b in js::RegExpObject::setPrivate (this=0x7ffff60088e0, rep=0x0) at ../vm/RegExpObject-inl.h:119
#92 0x000000000065bb59 in js::RegExpObject::purge (this=0x7ffff60088e0, cx=0xb2b930) at ../vm/RegExpObject-inl.h:157
#93 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
Comment 1 [PTO to Dec5] Bill McCloskey (:billm) 2011-12-08 17:23:01 PST
https://hg.mozilla.org/projects/larch/rev/6c62c0967631
Comment 2 [PTO to Dec5] Bill McCloskey (:billm) 2011-12-08 19:24:07 PST
*** Bug 708803 has been marked as a duplicate of this bug. ***
Comment 3 Christian Holler (:decoder) 2011-12-11 14:40:22 PST
This crash is on mozilla-central and not on larch only. Please merge to m-c and then mark as fixed again.
Comment 4 [PTO to Dec5] Bill McCloskey (:billm) 2011-12-14 10:38:04 PST
Created attachment 581709 [details] [diff] [review]
fix

The problem was that we were calling purge when tracing through a regular expression from a write barrier. This seems bad. It does mean that during incremental GC we may fail to purge some regular expressions. This should be rare. I think that's okay, right Chris?
Comment 5 Chris Leary [:cdleary] (not checking bugmail) 2011-12-14 14:11:08 PST
Comment on attachment 581709 [details] [diff] [review]
fix

Review of attachment 581709 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, that's ok: nothing depends on the fact that privates get purged from objects each GC.
Comment 6 [PTO to Dec5] Bill McCloskey (:billm) 2011-12-15 09:47:09 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/d96b15c1645b
Comment 7 Ed Morley [:emorley] 2011-12-16 06:13:04 PST
https://hg.mozilla.org/mozilla-central/rev/d96b15c1645b
Comment 8 Christian Holler (:decoder) 2013-01-14 08:10:18 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708228.js.

Note You need to log in before you can comment on or make changes to this bug.