794214 - Intermittent rooting analysis failure in CheckNewScriptProperties

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Steve Fink [:sfink] [:s:]]

1.1% of the time when I run js1_8_5/extensions/proxy-enumerateOwn-duplicates.js, it fails. I set up an infinite gdb loop to catch it (enabling ASLR). It is failing in jsinfer.cpp:4915:

  type->newScript = (TypeNewScript *) cx->calloc_(numBytes);

type->newScript is a HeapPtr, which asserts that you're not passing it a poisoned ptr.

I could wrap the calloc_ with another retry-until-good-address, though I wonder how many of these there are.

Comment 1

[Steve Fink [:sfink] [:s:]]

Note that I also observed a 0.4% failure rate in 2 other tests, and I haven't checked whether they're the same problem.

Comment 2

[Steve Fink [:sfink] [:s:]]

Attachment: Avoid putting poisoned pointer into type->newScript

Sorry, I should have said somewhere that this is only with rooting analysis
enabled.

Comment 3

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 664746 [details] [diff] [review]
Avoid putting poisoned pointer into type->newScript

Review of attachment 664746 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsinfer.cpp
@@ +4912,5 @@
>  
>      size_t numBytes = sizeof(TypeNewScript)
>                      + (initializerList.length() * sizeof(TypeNewScript::Initializer));
> +#ifdef JSGC_ROOT_ANALYSIS
> +    // calloc can legitimately return a pointer that appears to be poisoned

Period at the end, please.

Comment 4

[Steve Fink [:sfink] [:s:]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/b118ae06adeb

try push: https://tbpl.mozilla.org/?tree=Try&rev=4762cd73c124

Comment 5

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/b118ae06adeb