Closed Bug 711667 Opened 14 years ago Closed 13 years ago

[IncrementalGC] Crash [@ js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*()]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 729238

People

(Reporter: decoder, Assigned: billm)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Test case for shell (run with -n -m)
2.76 KB, application/javascript
Details
The attached test crashes on larch branch (incremental GC) revision eccd65340648 (options -m -n). Backtrace: ==55695== Invalid read of size 8 ==55695== at 0x4158D2: js::HeapPtr<js::BaseShape, unsigned long>::operator js::BaseShape*() const (Barrier.h:228) ==55695== by 0x413C33: js::Shape::base() const (jsscope.h:759) ==55695== by 0x413AC5: js::Shape::getObjectClass() const (jsscope.h:628) ==55695== by 0x414197: JSObject::getClass() const (jsscope.h:1078) ==55695== by 0x5C31C1: js::DefaultMarkPolicy<js::HeapPtr<JSObject, unsigned long> >::overrideKeyMarking(js::HeapPtr<JSObject, unsigned long> const&) (jsweakmap.h:289) ==55695== by 0x5C51E3: js::WeakMap<js::HeapPtr<JSObject, unsigned long>, js::HeapValue, js::DefaultHasher<js::HeapPtr<JSObject, unsigned long> >, js::DefaultMarkPolicy<js::HeapPtr<JSObject, unsigned long> >, js::DefaultMarkPolicy<js::HeapValue>, js::DefaultTracePolicy<js::HeapPtr<JSObject, unsigned long>, js::HeapValue> >::markIteratively(JSTracer*) (jsweakmap.h:206) ==55695== by 0x5C19DA: js::WeakMapBase::markAllIteratively(JSTracer*) (jsweakmap.cpp:67) ==55695== by 0x4A800B: MarkWeakReferences(js::GCMarker*) (jsgc.cpp:2814) ==55695== by 0x4A80B3: MarkGrayAndWeak(JSContext*) (jsgc.cpp:2830) ==55695== by 0x4A81FF: EndMarkPhase(JSContext*) (jsgc.cpp:2858) ==55695== by 0x4A926C: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:3106) ==55695== by 0x4AA24B: GCCycle(JSContext*, JSCompartment*, bool, JSGCInvocationKind) (jsgc.cpp:3594) ==55695== Address 0xdadadadadadadada is not stack'd, malloc'd or (recently) free'd
I can't get this to crash. I'm on the same rev, and I'm also using a 64-bit Linux build. Any advice?
(In reply to Bill McCloskey (:billm) from comment #1) > I can't get this to crash. I'm on the same rev, and I'm also using a 64-bit > Linux build. Any advice? fwiw, I *think* I used to have a testcase that crashed here too, but it went away after testing with larch tip.
I can reproduce this on the revision in comment 0 but not on tip. I'm going to see if this still pops up when fuzzing larch tip now and if so, I'll update the testcase here.
Sadly, I wish I had debugged this a while ago. It caused some intermittent orange problems after incremental GC landed. If I had been a little less lazy, this would have been much easier to debug.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: