Closed
Bug 521169
Opened 15 years ago
Closed 15 years ago
TM: Crash [@ 0xdb001f12] or [@ JS_CallTracer] or "Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp"
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta3-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(4 keywords, Whiteboard: [ccbr][sg:critical] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
|
(deleted),
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
try {
with({
x: (function f(a) {
f(1)
})()
}) {}
} catch(e) {}
for each(x in ["", true]) {
for (b = 0; b < 4; ++b) {
if (b % 2 == 0) {
(function () {})()
} {
gc()
}
}
}
crashes at js opt shell at a scary address when pasted (0xdb001f12) with -j, at JS_CallTracer near null when passed in as a CLI argument with -j, and asserts at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp:2677 with a js debug shell with -j.
Turning security-sensitive because of scary address and that this concerns gc.
autoBisecting soon...
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [ccbr]
|
|
Reporter | |
Comment 1•15 years ago
|
||
autoBisect shows this is probably related to bug 459301: The regression window is http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=89e665eb9944&tochange=d04601f54db5 which is heavily tracerecursion-related.
Blocks: tracerecursion
|
|
Reporter | |
Comment 2•15 years ago
|
||
(In reply to comment #0) > crashes at js opt shell at a scary address when pasted (0xdb001f12) with -j, at > JS_CallTracer near null when passed in as a CLI argument with -j, and asserts > at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp:2677 with a js debug > shell with -j. When pasted into the opt shell and when passed in as a CLI argument to the opt shell, JSTraceMonitor::mark seems to be common on the stack: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000db001f12 Crashed Thread: 0 Thread 0 Crashed: 0 ??? 0x001f1280 0 + 2036352 1 js-opt-tm-darwin 0x000efa9e JSTraceMonitor::mark(JSTracer*) + 286 2 js-opt-tm-darwin 0x0004b166 js_TraceRuntime + 182 3 js-opt-tm-darwin 0x0004b88e js_GC + 1022 4 js-opt-tm-darwin 0x0000ed68 JS_GC + 72 5 js-opt-tm-darwin 0x00005082 __ZL2GCP9JSContextjPl + 50 6 js-opt-tm-darwin 0x000577f0 js_Interpret + 39904 7 js-opt-tm-darwin 0x0005d9aa js_Execute + 362 8 js-opt-tm-darwin 0x0000cefc JS_ExecuteScript + 60 9 js-opt-tm-darwin 0x00003a88 __ZL7ProcessP9JSContextP8JSObjectPci + 1336 10 js-opt-tm-darwin 0x00007b44 main + 2212 11 js-opt-tm-darwin 0x00001a1b _start + 209 12 js-opt-tm-darwin 0x00001949 start + 41 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000040 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x0004a396 JS_CallTracer + 614 1 js-opt-tm-darwin 0x000efa9e JSTraceMonitor::mark(JSTracer*) + 286 2 js-opt-tm-darwin 0x0004b166 js_TraceRuntime + 182 3 js-opt-tm-darwin 0x0004b88e js_GC + 1022 4 js-opt-tm-darwin 0x0000ed68 JS_GC + 72 5 js-opt-tm-darwin 0x00005082 __ZL2GCP9JSContextjPl + 50 6 js-opt-tm-darwin 0x000577f0 js_Interpret + 39904 7 js-opt-tm-darwin 0x0005d9aa js_Execute + 362 8 js-opt-tm-darwin 0x0000cefc JS_ExecuteScript + 60 9 js-opt-tm-darwin 0x00003b95 __ZL7ProcessP9JSContextP8JSObjectPci + 1605 10 js-opt-tm-darwin 0x00007b44 main + 2212 11 js-opt-tm-darwin 0x00001a1b _start + 209 12 js-opt-tm-darwin 0x00001949 start + 41
No longer blocks: tracerecursion
|
|
Reporter | |
Updated•15 years ago
|
Blocks: tracerecursion
|
|
Assignee | |
Comment 3•15 years ago
|
||
We're not walking peer fragments for gcthings. This bug existed prior to recursion, so we got lucky here that the bug was exposed so cleanly.
|
|
Assignee | |
Updated•15 years ago
|
No longer blocks: tracerecursion
|
||
Updated•15 years ago
|
tracking-fennec: --- → ?
Flags: blocking1.9.2?
OS: Mac OS X → All
Priority: -- → P2
Hardware: x86 → All
|
|
||
Updated•15 years ago
|
Attachment #406182 -
Flags: review?(gal) → review+
|
||
Comment 4•15 years ago
|
||
(In reply to comment #3) > Created an attachment (id=406182) [details] > fix > > We're not walking peer fragments for gcthings. This bug existed prior to > recursion, so we got lucky here that the bug was exposed so cleanly. Does this bug exist on 1.9.1?
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Comment 5•15 years ago
|
||
No. The underlying don't-flush-jit-case-upon-gc code wasn't added until 1.9.2.
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/dde13d040e44 The crash is (probably) rare but deadly: type instability has to create a peer that roots an object not rooted by the first fragment. FWIW the test case can be reduced to: for each(x in ["", true]) { for (b = 0; b < 4; ++b) { if (b % 2 == 0) { (function () {})() } { gc() } } }
Whiteboard: [ccbr][sg:critical] → [ccbr][sg:critical] fixed-in-tracemonkey
|
||
Updated•15 years ago
|
status1.9.1:
--- → unaffected
|
|
||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/dde13d040e44
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/f139188546ac
status1.9.2:
--- → final-fixed
|
||
Updated•15 years ago
|
Group: core-security
|
||
Updated•13 years ago
|
Crash Signature: [@ 0xdb001f12]
[@ JS_CallTracer]
|
||
Comment 10•12 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Crash Signature: [@ 0xdb001f12]
[@ JS_CallTracer] → [@ 0xdb001f12]
[@ JS_CallTracer]
|
|
||
Comment 11•12 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
|
|
||
Updated•11 years ago
|
tracking-fennec: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•