Closed Bug 783543 Opened 12 years ago Closed 12 years ago

Crash [@ js::gc::Cell::compartment]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 783315

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -n -a):


try { 
  evaluate("  (function(c) { const x = 1; for (x in null); })();"); 
  var expect = "Passed";
} catch ( e ) {
  result = expect;
}
schedulegc(10);
eval("var o = new MyObject(); var result = 0; for (var o in foo) { result += this[o]; } ") 
function MyObject() {}


Crash trace:

==3301== Invalid read of size 4
==3301==    at 0x804D3A3: js::gc::Cell::compartment() const (Heap.h:1010)
==3301==    by 0x83A9E65: void js::gc::CheckMarkedThing<js::PropertyName>(JSTracer*, js::PropertyName*) (Marking.cpp:86)
==3301==    by 0x83A6457: void js::gc::MarkInternal<js::PropertyName>(JSTracer*, js::PropertyName**) (Marking.cpp:108)
==3301==    by 0x83A3FDE: void js::gc::MarkUnbarriered<js::PropertyName>(JSTracer*, js::PropertyName**, char const*) (Marking.cpp:137)
==3301==    by 0x839CF3C: js::gc::MarkStringUnbarriered(JSTracer*, js::PropertyName**, char const*) (Marking.cpp:246)
==3301==    by 0x82295F0: js::Bindings::trace(JSTracer*) (jsscript.cpp:232)
==3301==    by 0x822EBDB: JSScript::markChildren(JSTracer*) (jsscript.cpp:2425)
==3301==    by 0x839F022: js::gc::MarkChildren(JSTracer*, JSScript*) (Marking.cpp:773)
==3301==    by 0x839E439: js::gc::PushMarkStack(js::GCMarker*, JSScript*) (Marking.cpp:583)
==3301==    by 0x83A4C20: void js::gc::MarkInternal<JSScript>(JSTracer*, JSScript**) (Marking.cpp:116)
==3301==    by 0x83A29E3: void js::gc::MarkRoot<JSScript>(JSTracer*, JSScript**, char const*) (Marking.cpp:154)
==3301==    by 0x839C9D5: js::gc::MarkScriptRoot(JSTracer*, JSScript**, char const*) (Marking.cpp:240)
==3301==  Address 0xcdcdc000 is not stack'd, malloc'd or (recently) free'd



Might be a duplicate of one of the previous bugs that Gary and I reported, but it looks particular dangerous so I would like to make sure it's not missed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f5f29adc6d30).
I'll add the test-case though, nice find!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug783543.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.