Closed Bug 794214 Opened 9 years ago Closed 9 years ago

Intermittent rooting analysis failure in CheckNewScriptProperties

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla18

People

(Reporter: sfink, Assigned: sfink)

Details

Attachments

(1 file)

1.1% of the time when I run js1_8_5/extensions/proxy-enumerateOwn-duplicates.js, it fails. I set up an infinite gdb loop to catch it (enabling ASLR). It is failing in jsinfer.cpp:4915:

  type->newScript = (TypeNewScript *) cx->calloc_(numBytes);

type->newScript is a HeapPtr, which asserts that you're not passing it a poisoned ptr.

I could wrap the calloc_ with another retry-until-good-address, though I wonder how many of these there are.
Note that I also observed a 0.4% failure rate in 2 other tests, and I haven't checked whether they're the same problem.
Sorry, I should have said somewhere that this is only with rooting analysis
enabled.
Attachment #664746 - Flags: review?(wmccloskey)
Assignee: general → sphink
Summary: Intermittent failure in CheckNewScriptProperties → Intermittent rooting analysis failure in CheckNewScriptProperties
Comment on attachment 664746 [details] [diff] [review]
Avoid putting poisoned pointer into type->newScript

Review of attachment 664746 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +4912,5 @@
>  
>      size_t numBytes = sizeof(TypeNewScript)
>                      + (initializerList.length() * sizeof(TypeNewScript::Initializer));
> +#ifdef JSGC_ROOT_ANALYSIS
> +    // calloc can legitimately return a pointer that appears to be poisoned

Period at the end, please.
Attachment #664746 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/b118ae06adeb
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.