Closed
Bug 906243
Opened 11 years ago
Closed 11 years ago
GenerationalGC: Crash [@ _int_malloc]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
3.62 KB,
text/plain
|
Details | |
3.38 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
a2 = [] g = function() r Object.defineProperty(a2, 0, { set: function() {} }) for (var x = 0; x < 70; ++x) { Array.prototype.unshift.call(a2, g) } a2.length = 8 for each(e in [0, 0]) { Array.prototype.shift.call(a2) } crashes js debug shell (tested with a threadsafe 64-bit debug build) on m-i changeset a63f47fcbe98 without any CLI arguments at _int_malloc autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 140539:1a0e01422cb3 user: Terrence Cole date: Wed Jul 10 10:13:46 2013 -0700 summary: Bug 889682 - Eagerly check for remembered set membership before buffering; r=billm
Flags: needinfo?(terrence)
Assignee | ||
Updated•11 years ago
|
Assignee: general → terrence
Flags: needinfo?(terrence)
Assignee | ||
Comment 1•11 years ago
|
||
JSObject::shrinkSlots specializes a new slots count of 0 to use free, instead of realloc, since realloc is not well defined for the zero-size case. The shrinkSlots path using free, unlike the realloc path, does not currently handle the management of the hugeSlots set, Specifically, it just calls js_free and does not remove the slots pointer, resulting in a double-free. The attached patch adds Nursery::freeSlots, which handles the hugeSlots set management similar to, if simpler than, Nursery::reallocSlots.
Attachment #799087 -
Flags: review?(jcoppeard)
Comment 2•11 years ago
|
||
Comment on attachment 799087 [details] [diff] [review] fuzz_906243-v0.diff Review of attachment 799087 [details] [diff] [review]: ----------------------------------------------------------------- Looks good!
Attachment #799087 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 3•11 years ago
|
||
Try run: https://tbpl.mozilla.org/?tree=Try&rev=c251911a9489 Pushed: https://hg.mozilla.org/integration/mozilla-inbound/rev/7cae068e6b3f
https://hg.mozilla.org/mozilla-central/rev/7cae068e6b3f
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•