Last Comment Bug 708228 - Infinite recursion crash [@ regexp_trace] with incremental GC
: Infinite recursion crash [@ regexp_trace] with incremental GC
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla11
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
: 708803 (view as bug list)
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-07 05:34 PST by Christian Holler (:decoder)
Modified: 2013-01-14 08:10 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.03 KB, patch)
2011-12-14 10:38 PST, Bill McCloskey (:billm)
cdleary: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-12-07 05:34:46 PST
The following test crashes on mozilla-central revision fafaf614791f (no options required):

var g_rx = /(?:)/;
(3).replace(g_rx.compile("test", "g"), {});

The crash is an infinite recursion with the following repeating part:

#88 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#89 0x0000000000443bb2 in JSObject::privateWriteBarrierPre (this=0x7ffff60088e0, old=0x7ffff6008938) at ../jsobjinlines.h:2114
#90 0x000000000044302f in JSObject::setPrivate (this=0x7ffff60088e0, data=0x0) at ../jsobjinlines.h:113
#91 0x000000000065bb0b in js::RegExpObject::setPrivate (this=0x7ffff60088e0, rep=0x0) at ../vm/RegExpObject-inl.h:119
#92 0x000000000065bb59 in js::RegExpObject::purge (this=0x7ffff60088e0, cx=0xb2b930) at ../vm/RegExpObject-inl.h:157
#93 0x000000000065a11f in regexp_trace (trc=0xb35108, obj=0x7ffff60088e0) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
Comment 1 User image Bill McCloskey (:billm) 2011-12-08 17:23:01 PST
Comment 2 User image Bill McCloskey (:billm) 2011-12-08 19:24:07 PST
*** Bug 708803 has been marked as a duplicate of this bug. ***
Comment 3 User image Christian Holler (:decoder) 2011-12-11 14:40:22 PST
This crash is on mozilla-central and not on larch only. Please merge to m-c and then mark as fixed again.
Comment 4 User image Bill McCloskey (:billm) 2011-12-14 10:38:04 PST
Created attachment 581709 [details] [diff] [review]

The problem was that we were calling purge when tracing through a regular expression from a write barrier. This seems bad. It does mean that during incremental GC we may fail to purge some regular expressions. This should be rare. I think that's okay, right Chris?
Comment 5 User image Chris Leary [:cdleary] (not checking bugmail) 2011-12-14 14:11:08 PST
Comment on attachment 581709 [details] [diff] [review]

Review of attachment 581709 [details] [diff] [review]:

Yeah, that's ok: nothing depends on the fact that privates get purged from objects each GC.
Comment 7 User image Ed Morley [:emorley] 2011-12-16 06:13:04 PST
Comment 8 User image Christian Holler (:decoder) 2013-01-14 08:10:18 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug708228.js.

Note You need to log in before you can comment on or make changes to this bug.