Closed
Bug 732087
Opened 12 years ago
Closed 12 years ago
Assertion failure: addr % Cell::CellSize == 0, at ../../jsgc.h:861 or Crash [@ js::gc::ChunkBitmap::markIfUnmarked]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla13
Tracking | Status | |
---|---|---|
firefox10 | - | unaffected |
firefox11 | - | unaffected |
firefox12 | - | unaffected |
firefox13 | + | fixed |
firefox-esr10 | - | unaffected |
People
(Reporter: decoder, Assigned: billm)
References
Details
(4 keywords, Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+])
Crash Data
Attachments
(1 file)
1.10 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 1c3b291d0830+ (options -m -n -a): gczeal(2,1); var count = 0; var a = {__noSuchMethod__: function() { count++; } } for (var i = 0; i < 10; 0) { a.b(); } Stepping through crashes: Program received signal SIGSEGV, Segmentation fault. 0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674 674 if (*word & mask) (gdb) bt #0 0x00000000004b8320 in js::gc::ChunkBitmap::markIfUnmarked (this=0xdadadadadadfc0b8, cell=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:674 #1 0x00000000004b869d in js::gc::Cell::markIfUnmarked (this=0xdadadadadadadada, color=0) at /srv/repos/mozilla-central/js/src/jsgc.h:972 #2 0x00000000004cbd22 in js::gc::PushMarkStack (gcmarker=0x7ffff7fae220, thing=0xdadadadadadadada) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:457 #3 0x00000000004d2439 in js::GCMarker::processMarkStackTop (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1112 #4 0x00000000004cd882 in js::GCMarker::drainMarkStack (this=0x7ffff7fae220, budget=...) at /srv/repos/mozilla-central/js/src/jsgcmark.cpp:1172 #5 0x00000000004b3eb7 in MarkAndSweep (cx=0xb64b40, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3300 #6 0x00000000004b4d6f in GCCycle (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3642 #7 0x00000000004b503e in Collect (cx=0xb64b40, comp=0x0, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3707 #8 0x00000000004b5174 in js::GC (cx=0xb64b40, comp=0x0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_DITCH) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3727 #9 0x00000000004b02ce in js::gc::RunLastDitchGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:1722 #10 0x00000000004b5dc1 in js::gc::RunDebugGC (cx=0xb64b40) at /srv/repos/mozilla-central/js/src/jsgc.cpp:3967 #11 0x0000000000463874 in js::gc::NewGCThing<JSObject> (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, thingSize=96) at ../jsgcinlines.h:408 #12 0x000000000045f2b4 in js_NewGCObject (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8) at ../jsgcinlines.h:454 #13 0x00000000004615dd in JSObject::createDenseArray (cx=0xb64b40, kind=js::gc::FINALIZE_OBJECT8, shape=..., type=..., length=0) at ../jsobjinlines.h:1088 #14 0x000000000045c95d in js::NewArray<true> (cx=0xb64b40, length=0, proto=0x7ffff6105060) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3804 #15 0x00000000004591a5 in js::NewDenseCopiedArray (cx=0xb64b40, length=0, vp=0x7ffff63fb0b0, proto=0x0) at /srv/repos/mozilla-central/js/src/jsarray.cpp:3859 #16 0x00000000004f9c84 in NoSuchMethod (cx=0xb64b40, argc=0, vp=0x7ffff63fb0a0) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:414 #17 0x00000000004f9fb3 in js::InvokeKernel (cx=0xb64b40, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:485 #18 0x0000000000506213 in js::Interpret (cx=0xb64b40, entryFrame=0x7ffff63fb030, interpMode=js::JSINTERP_NORMAL) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:2699 #19 0x0000000000692b45 in js::mjit::EnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, stackLimit=0x7ffff67db000, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1079 #20 0x0000000000692cf6 in CheckStackAndEnterMethodJIT (cx=0xb64b40, fp=0x7ffff63fb030, code=0x7ffff7f3c078, partial=false) at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:1111 S-s and sg:critical due to GC related crash with dangerous address pattern.
Reporter | ||
Comment 1•12 years ago
|
||
Not sure how reliable this bisect is but it looks realistic: The first bad revision is: changeset: 86695:fbef6a165cf8 user: Bill McCloskey date: Fri Feb 10 18:32:08 2012 -0800 summary: Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
Assignee | ||
Comment 2•12 years ago
|
||
Sometimes I do stuff like this just so that if I ever do something smart it seems really impressive.
Comment 3•12 years ago
|
||
Comment on attachment 602046 [details] [diff] [review] patch Ouch
Attachment #602046 -
Flags: review?(luke) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ecd394385340
Target Milestone: --- → mozilla13
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox10:
--- → wontfix
status-firefox11:
--- → wontfix
status-firefox12:
--- → unaffected
status-firefox13:
--- → affected
tracking-firefox-esr10:
--- → -
tracking-firefox10:
--- → -
tracking-firefox11:
--- → -
tracking-firefox12:
--- → -
tracking-firefox13:
--- → +
Updated•12 years ago
|
Comment 5•12 years ago
|
||
The bisect in comment 1 may not line up with the patch, which changes a single line added in bug 728086 a couple of weeks later. https://hg.mozilla.org/integration/mozilla-inbound/rev/0fe3483946f9 So is there a different bug that decoder was seeing in mid February, possibly not fixed by this patch?
Updated•12 years ago
|
Keywords: regression
Assignee | ||
Comment 6•12 years ago
|
||
Comment 1 is correct. This is a regression from bug 723313. Then a bug was discovered in bug 728086, which I fixed in an incorrect way. (I needed to initialize some bytes, but I didn't initialize enough.) This patch corrects the problem. All of this only affects Firefox 13.
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ecd394385340
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•12 years ago
|
||
Fix includes test, marking verified based on that.
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
Reporter | ||
Comment 10•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug732087.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•