Infinite recursion crash [@ regexp_trace] with incremental GC

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla11
x86_64
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision fafaf614791f (no options required):


gczeal(4);
var g_rx = /(?:)/;
(3).replace(g_rx.compile("test", "g"), {});


The crash is an infinite recursion with the following repeating part:

#88 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#89 0x0000000000443bb2 in JSObject::privateWriteBarrierPre (this=0x7ffff60088e0, old=0x7ffff6008938) at ../jsobjinlines.h:2114
#90 0x000000000044302f in JSObject::setPrivate (this=0x7ffff60088e0, data=0x0) at ../jsobjinlines.h:113
#91 0x000000000065bb0b in js::RegExpObject::setPrivate (this=0x7ffff60088e0, rep=0x0) at ../vm/RegExpObject-inl.h:119
#92 0x000000000065bb59 in js::RegExpObject::purge (this=0x7ffff60088e0, cx=0xb2b930) at ../vm/RegExpObject-inl.h:157
#93 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
(Assignee)

Comment 1

6 years ago
https://hg.mozilla.org/projects/larch/rev/6c62c0967631
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Updated

6 years ago
Duplicate of this bug: 708803
(Reporter)

Comment 3

6 years ago
This crash is on mozilla-central and not on larch only. Please merge to m-c and then mark as fixed again.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 4

6 years ago
Created attachment 581709 [details] [diff] [review]
fix

The problem was that we were calling purge when tracing through a regular expression from a write barrier. This seems bad. It does mean that during incremental GC we may fail to purge some regular expressions. This should be rare. I think that's okay, right Chris?
Attachment #581709 - Flags: review?(christopher.leary)
Comment on attachment 581709 [details] [diff] [review]
fix

Review of attachment 581709 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, that's ok: nothing depends on the fact that privates get purged from objects each GC.
Attachment #581709 - Flags: review?(christopher.leary) → review+
(Assignee)

Comment 6

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d96b15c1645b
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/d96b15c1645b
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708228.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.