Closed Bug 711158 Opened 14 years ago Closed 14 years ago

Another recursion crash [@ regexp_trace] with incremental GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

patch
1.13 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following test crashes on mozilla-central revision 41f75cbb91f2 with the patch of bug 708228 already applied (options -m -n -a): var SECT_PREFIX = 'Section '; var SECT_SUFFIX = ' of test - '; function inSection(x) { return SECT_PREFIX + x + SECT_SUFFIX; } var lfcode = new Array(); lfcode.push("gczeal(4); gczeal(0);"); lfcode.push("\ (function() {\ function Pattern(template) {}\ Pattern.prototype = {\ };\ function MatchError(msg) {};\ function isAtom(x) {}\ function isObject(x) {}\ function isArrayLike(x) {}\ function matchAtom(act, exp) {}\ for (var key in exp) {}\ function matchArray(act, exp) {\ match(act[i], exp[i]);\ }\ function match(act, exp) {\ };\ })();\ "); lfcode.push("status = inSection(12);"); lfcode.push("\ var a = [0,1,2,3,(/[\\u006d]/g ),5,6,7,8,9,10];\ while (status) var l, a = [];\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file); } function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) { } } The recursion cycle looks like this: #3481 0x0000000000657c68 in regexp_trace (trc=0xb2e288, obj=0x7ffff6010d00) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370 #3482 0x0000000000443c44 in JSObject::privateWriteBarrierPre (this=0x7ffff6010d00, old=0x7ffff6010d58) at ../jsobjinlines.h:2115 #3483 0x00000000004430c1 in JSObject::setPrivate (this=0x7ffff6010d00, data=0x0) at ../jsobjinlines.h:113 #3484 0x000000000065962d in js::RegExpObject::setPrivate (this=0x7ffff6010d00, rep=0x0) at ../vm/RegExpObject-inl.h:119 #3485 0x000000000065967b in js::RegExpObject::purge (this=0x7ffff6010d00, cx=0xb265c0) at ../vm/RegExpObject-inl.h:157
Attached patch patchSplinter Review
The write barrier was triggering during the delayed marking call, which shouldn't be happening. I just moved the assignment of needsBarrier up, which means that the barrier won't trigger.
Attachment #582031 - Flags: review?(luke)
Attachment #582031 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/2829d8482c67
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: