Another recursion crash [@ regexp_trace] with incremental GC

RESOLVED FIXED in mozilla11

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
6 years ago
Modified:
6 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {crash, testcase})

Version:
Trunk
Target:
mozilla11
x86_64
Linux
Keywords:
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

patch
1.13 KB, patch
luke
: review+
Details | Diff | Splinter Review
(Reporter)

Description

6 years ago 
The following test crashes on mozilla-central revision 41f75cbb91f2 with the patch of bug 708228 already applied (options -m -n -a):


var SECT_PREFIX = 'Section ';
var SECT_SUFFIX = ' of test - ';
function inSection(x) {
  return SECT_PREFIX + x + SECT_SUFFIX;
}
var lfcode = new Array();
lfcode.push("gczeal(4); gczeal(0);");
lfcode.push("\
(function() {\
        function Pattern(template) {}\
        Pattern.prototype = {\
        };\
        function MatchError(msg) {};\
        function isAtom(x) {}\
        function isObject(x) {}\
        function isArrayLike(x) {}\
        function matchAtom(act, exp) {}\
        for (var key in exp) {}\
        function matchArray(act, exp) {\
                match(act[i], exp[i]);\
        }\
        function match(act, exp) {\
        };\
})();\
");
lfcode.push("status = inSection(12);");
lfcode.push("\
        var a = [0,1,2,3,(/[\\u006d]/g ),5,6,7,8,9,10];\
        while (status) var l, a = [];\
");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
                loadFile(file);
}
function loadFile(lfVarx) {
        try {
                        evaluate(lfVarx);
        } catch (lfVare) {      }
}


The recursion cycle looks like this:

#3481 0x0000000000657c68 in regexp_trace (trc=0xb2e288, obj=0x7ffff6010d00) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#3482 0x0000000000443c44 in JSObject::privateWriteBarrierPre (this=0x7ffff6010d00, old=0x7ffff6010d58) at ../jsobjinlines.h:2115
#3483 0x00000000004430c1 in JSObject::setPrivate (this=0x7ffff6010d00, data=0x0) at ../jsobjinlines.h:113
#3484 0x000000000065962d in js::RegExpObject::setPrivate (this=0x7ffff6010d00, rep=0x0) at ../vm/RegExpObject-inl.h:119
#3485 0x000000000065967b in js::RegExpObject::purge (this=0x7ffff6010d00, cx=0xb265c0) at ../vm/RegExpObject-inl.h:157
(Assignee)

Comment 1

6 years ago 
Created attachment 582031 [details] [diff] [review]
patch

The write barrier was triggering during the delayed marking call, which shouldn't be happening. I just moved the assignment of needsBarrier up, which means that the barrier won't trigger.
Attachment #582031 - Flags: review?(luke)

Updated

6 years ago
Attachment #582031 - Flags: review?(luke) → review+
 (Assignee)

Comment 2

6 years ago 
https://hg.mozilla.org/integration/mozilla-inbound/rev/2829d8482c67
Target Milestone: --- → mozilla11

Comment 3

6 years ago 
https://hg.mozilla.org/mozilla-central/rev/2829d8482c67
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.