906243 - GenerationalGC: Crash [@ _int_malloc]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

a2 = []
g = function() r
Object.defineProperty(a2, 0, {
    set: function() {}
})
for (var x = 0; x < 70; ++x) {
    Array.prototype.unshift.call(a2, g)
}
a2.length = 8
for each(e in [0, 0]) {
    Array.prototype.shift.call(a2)
}

crashes js debug shell (tested with a threadsafe 64-bit debug build) on m-i changeset a63f47fcbe98 without any CLI arguments at _int_malloc

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   140539:1a0e01422cb3
user:        Terrence Cole
date:        Wed Jul 10 10:13:46 2013 -0700
summary:     Bug 889682 - Eagerly check for remembered set membership before buffering; r=billm

Comment 1

[Terrence Cole [:terrence]]

Attachment: fuzz_906243-v0.diff

JSObject::shrinkSlots specializes a new slots count of 0 to use free, instead of realloc, since realloc is not well defined for the zero-size case. The shrinkSlots path using free, unlike the realloc path, does not currently handle the management of the hugeSlots set, Specifically, it just calls js_free and does not remove the slots pointer, resulting in a double-free. The attached patch adds Nursery::freeSlots, which handles the hugeSlots set management similar to, if simpler than, Nursery::reallocSlots.

Comment 2

[Jon Coppeard (:jonco)]

Comment on attachment 799087 [details] [diff] [review]
fuzz_906243-v0.diff

Review of attachment 799087 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!

Comment 3

[Terrence Cole [:terrence]]

Try run: https://tbpl.mozilla.org/?tree=Try&rev=c251911a9489
Pushed: https://hg.mozilla.org/integration/mozilla-inbound/rev/7cae068e6b3f

Comment 4

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/7cae068e6b3f