719686 - Assertion failure: (d.lengthAndFlags & FLAGS_MASK) == DEPENDENT_BIT, at js/src/vm/String.h:340 or Crash [@ JSString::isLinear]

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test asserts/crashes on mozilla-central revision e5e66f40c35b (32 bit, options -m -n -a):


gczeal(2);
function subset(list, size) {
  if (size == 0 || !list.length)
    return [list.slice(0, 0)];
  var result = [];
  for (var i = 0, n = list.length; i < n; i++) {
    var pick = list.slice(i, i+1);
    var rest = list.slice(0, i).concat(list.slice(i+1));
    for each (var x in subset(rest, size-1))
      result.push(pick.concat(x));
  }
  return result;
}
var bops = [
  ["=", "|=", "^=", "&=", "<<=", ">>=", ">>>=", "+=", "-=", "*=", "/=", "%="],
  ];
var aops = [];
for (var i = 0; i < bops.length; i++) {
  for (var j = 0; j < bops[i].length; j++) {
    var k = bops[i][j];
    aops.push(k);
}
for (i = 2; i < 5; i++) {
  var sets = subset(aops, i);
  }
}


Furthermore, the shell crashes with a use-after-gc when stepping through the assert:

Program received signal SIGSEGV, Segmentation fault.
0x08089574 in JSString::isLinear (this=0xdadadada) at /srv/repos/mozilla-central/js/src/vm/String.h:328
328             return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0  0x08089574 in JSString::isLinear (this=0xdadadada) at /srv/repos/mozilla-central/js/src/vm/String.h:328
#1  0x08107495 in js::gc::ScanLinearString (gcmarker=0xffffbd2c, str=0xdadadada) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:727
#2  0x0810782d in js::gc::ScanString (gcmarker=0xffffbd2c, str=0xf744d8a0) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:792
#3  0x081078e9 in js::gc::PushMarkStack (gcmarker=0xffffbd2c, str=0xf744d8a0) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:808
#4  0x0810a4c3 in js::gc::Mark<JSString> (trc=0xffffbd2c, thing=0xf744d8a0) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:140
#5  0x08105d45 in js::gc::MarkStringUnbarriered (trc=0xffffbd2c, str=0xf744d8a0, name=0x83d4306 "prop") at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:156
#6  0x08105d6c in js::gc::MarkString (trc=0xffffbd2c, str=..., name=0x83d4306 "prop") at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:162
#7  0x0814d1c1 in js::NativeIterator::mark (this=0x85cf3d0, trc=0xffffbd2c) at /srv/repos/mozilla-central/js/src/jsiter.cpp:125
#8  0x0814d2d0 in iterator_trace (trc=0xffffbd2c, obj=0xf7440760) at /srv/repos/mozilla-central/js/src/jsiter.cpp:148
#9  0x0810a293 in js::GCMarker::processMarkStackTop (this=0xffffbd2c) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1133
#10 0x081083cb in js::GCMarker::drainMarkStack (this=0xffffbd2c) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1164
#11 0x080f4791 in MarkAndSweep (cx=0x8569588, gckind=GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:2880
#12 0x080f4a06 in GCCycle (cx=0x8569588, comp=0x0, gckind=GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3106
#13 0x080f4c7d in js_GC (cx=0x8569588, comp=0x0, gckind=GC_NORMAL, reason=js::gcstats::LASTDITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3164
#14 0x080f2226 in js::gc::RunLastDitchGC (cx=0x8569588) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1668
#15 0x080f5936 in js::gc::RunDebugGC (cx=0x8569588) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3431
#16 0x081e5cbd in js::gc::NewGCThing<JSString> (cx=0x8569588, kind=js::gc::FINALIZE_STRING, thingSize=16) at ../jsgcinlines.h:391
#17 0x081e301d in js_NewGCString (cx=0x8569588) at ../jsgcinlines.h:445
#18 0x081e3355 in JSInlineString::new_ (cx=0x8569588) at ../vm/String-inl.h:187
#19 0x081de564 in NewShortString (cx=0x8569588, chars=0xf744d3d8, length=3) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3095
#20 0x081deafc in js_NewStringCopyN (cx=0x8569588, s=0xf744d3d8, n=3) at /srv/repos/mozilla-central/js/src/jsstr.cpp:3232
#21 0x080aa904 in AtomizeInline (cx=0x8569588, pchars=0xffffc0a8, length=3, ib=js::DoNotInternAtom, ocb=CopyChars) at /srv/repos/mozilla-central/js/src/jsatom.cpp:493
#22 0x080aaa08 in Atomize (cx=0x8569588, pchars=0xffffc0a8, length=3, ib=js::DoNotInternAtom, ocb=CopyChars) at /srv/repos/mozilla-central/js/src/jsatom.cpp:519
#23 0x080aac47 in js_AtomizeString (cx=0x8569588, str=0xf744d3c0, ib=js::DoNotInternAtom) at /srv/repos/mozilla-central/js/src/jsatom.cpp:552
#24 0x080a20c0 in js_ValueToAtom (cx=0x8569588, v=..., atomp=0xffffc12c) at ../jsatominlines.h:68
#25 0x080a2113 in js_ValueToStringId (cx=0x8569588, v=..., idp=0xffffc1d0) at ../jsatominlines.h:76
#26 0x08130b81 in js::ValueToId (cx=0x8569588, v=..., idp=0xffffc1d0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:1014
#27 0x0814fb25 in js_IteratorMore (cx=0x8569588, iterobj=0xf7440760, rval=0xffffc210) at /srv/repos/mozilla-central/js/src/jsiter.cpp:1089
#28 0x083a5441 in js::mjit::stubs::IterMore (f=...) at /srv/repos/mozilla-central/js/src/methodjit/StubCalls.cpp:1319
#29 0xf76e4742 in ?? ()
#30 0x08535ff4 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) x /2i $pc
=> 0x8089574 <JSString::isLinear() const+6>:    mov    (%eax),%eax
   0x8089576 <JSString::isLinear() const+8>:    and    $0x1,%eax
(gdb) info register eax
eax            0xdadadada       -623191334


S-s and sg:critical due to possibly dangerous GC related memory hazard.

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

Regression from bug 713754, ids are converted to strings now (maybe triggering GC) when constructing native iterators but are not rooted until the native iterator is attached to an object afterwards.

Comment 2

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/0c8e2e793851

Comment 3

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/0c8e2e793851

Comment 4

[Christian Holler (:decoder)]

Slow gc test, skipping for test suite.