Closed Bug 711158 Opened 8 years ago Closed 8 years ago

Another recursion crash [@ regexp_trace] with incremental GC

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: decoder, Assigned: billm)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

patch
1.13 KB, patch
luke
: review+
Details | Diff | Splinter Review 
The following test crashes on mozilla-central revision 41f75cbb91f2 with the patch of bug 708228 already applied (options -m -n -a):


var SECT_PREFIX = 'Section ';
var SECT_SUFFIX = ' of test - ';
function inSection(x) {
  return SECT_PREFIX + x + SECT_SUFFIX;
}
var lfcode = new Array();
lfcode.push("gczeal(4); gczeal(0);");
lfcode.push("\
(function() {\
        function Pattern(template) {}\
        Pattern.prototype = {\
        };\
        function MatchError(msg) {};\
        function isAtom(x) {}\
        function isObject(x) {}\
        function isArrayLike(x) {}\
        function matchAtom(act, exp) {}\
        for (var key in exp) {}\
        function matchArray(act, exp) {\
                match(act[i], exp[i]);\
        }\
        function match(act, exp) {\
        };\
})();\
");
lfcode.push("status = inSection(12);");
lfcode.push("\
        var a = [0,1,2,3,(/[\\u006d]/g ),5,6,7,8,9,10];\
        while (status) var l, a = [];\
");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
                loadFile(file);
}
function loadFile(lfVarx) {
        try {
                        evaluate(lfVarx);
        } catch (lfVare) {      }
}


The recursion cycle looks like this:

#3481 0x0000000000657c68 in regexp_trace (trc=0xb2e288, obj=0x7ffff6010d00) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370
#3482 0x0000000000443c44 in JSObject::privateWriteBarrierPre (this=0x7ffff6010d00, old=0x7ffff6010d58) at ../jsobjinlines.h:2115
#3483 0x00000000004430c1 in JSObject::setPrivate (this=0x7ffff6010d00, data=0x0) at ../jsobjinlines.h:113
#3484 0x000000000065962d in js::RegExpObject::setPrivate (this=0x7ffff6010d00, rep=0x0) at ../vm/RegExpObject-inl.h:119
#3485 0x000000000065967b in js::RegExpObject::purge (this=0x7ffff6010d00, cx=0xb265c0) at ../vm/RegExpObject-inl.h:157
Attached patch patchSplinter Review 
The write barrier was triggering during the delayed marking call, which shouldn't be happening. I just moved the assignment of needsBarrier up, which means that the barrier won't trigger.
Attachment #582031 - Flags: review?(luke)
Attachment #582031 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/2829d8482c67
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.