Closed Bug 783543 Opened 13 years ago Closed 13 years ago

Crash [@ js::gc::Cell::compartment]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 783315

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,ignore])

Crash Data

The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -n -a): try { evaluate(" (function(c) { const x = 1; for (x in null); })();"); var expect = "Passed"; } catch ( e ) { result = expect; } schedulegc(10); eval("var o = new MyObject(); var result = 0; for (var o in foo) { result += this[o]; } ") function MyObject() {} Crash trace: ==3301== Invalid read of size 4 ==3301== at 0x804D3A3: js::gc::Cell::compartment() const (Heap.h:1010) ==3301== by 0x83A9E65: void js::gc::CheckMarkedThing<js::PropertyName>(JSTracer*, js::PropertyName*) (Marking.cpp:86) ==3301== by 0x83A6457: void js::gc::MarkInternal<js::PropertyName>(JSTracer*, js::PropertyName**) (Marking.cpp:108) ==3301== by 0x83A3FDE: void js::gc::MarkUnbarriered<js::PropertyName>(JSTracer*, js::PropertyName**, char const*) (Marking.cpp:137) ==3301== by 0x839CF3C: js::gc::MarkStringUnbarriered(JSTracer*, js::PropertyName**, char const*) (Marking.cpp:246) ==3301== by 0x82295F0: js::Bindings::trace(JSTracer*) (jsscript.cpp:232) ==3301== by 0x822EBDB: JSScript::markChildren(JSTracer*) (jsscript.cpp:2425) ==3301== by 0x839F022: js::gc::MarkChildren(JSTracer*, JSScript*) (Marking.cpp:773) ==3301== by 0x839E439: js::gc::PushMarkStack(js::GCMarker*, JSScript*) (Marking.cpp:583) ==3301== by 0x83A4C20: void js::gc::MarkInternal<JSScript>(JSTracer*, JSScript**) (Marking.cpp:116) ==3301== by 0x83A29E3: void js::gc::MarkRoot<JSScript>(JSTracer*, JSScript**, char const*) (Marking.cpp:154) ==3301== by 0x839C9D5: js::gc::MarkScriptRoot(JSTracer*, JSScript**, char const*) (Marking.cpp:240) ==3301== Address 0xcdcdc000 is not stack'd, malloc'd or (recently) free'd Might be a duplicate of one of the previous bugs that Gary and I reported, but it looks particular dangerous so I would like to make sure it's not missed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f5f29adc6d30).
I'll add the test-case though, nice find!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug783543.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.