Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Description • 15 years ago

function foo() {
  v = (Function("for(w in(a=((function(aaaaaa,bbbbbb){b:aaaaaa[bbbbbb]+(aaaaaa,bbbbbb)})([null]))))for(let z = 0; z < 1; z++)function(){}"))()
}
foo("")
__defineSetter__("x", function() { gc() })
gc()
this.watch("x", function(x) { yield#3= {} })
for (var n;; n++) {
  x = true
}


asserts js debug shell on JM tip without -j or -m at Assertion failure: a->info.list, at ../jsgc.cpp:811 and crashes js opt shell on JM tip without -j or -m at js::StackSpace::mark

(Tested on JM rev 71ed74081c2d on Mac 10.6.2 32-bit shell)


js opt shell stack:

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   ???                           	0000000000 0 + 0
1   js-opt-32-jm-darwin           	0x000202f3 js::StackSpace::mark(JSTracer*) + 307
2   js-opt-32-jm-darwin           	0x00021851 js_TraceThreads(JSRuntime*, JSTracer*) + 33
3   js-opt-32-jm-darwin           	0x0004d7f7 js_TraceRuntime(JSTracer*, int) + 1063
4   js-opt-32-jm-darwin           	0x0004dc6e js_GC(JSContext*, JSGCInvocationKind) + 990
5   js-opt-32-jm-darwin           	0x0000f97a JS_GC + 58
6   js-opt-32-jm-darwin           	0x00005c43 GC(JSContext*, unsigned int, long*) + 35
7   js-opt-32-jm-darwin           	0x00059196 js_Interpret + 35974
8   js-opt-32-jm-darwin           	0x00060891 js_Invoke + 1681
9   js-opt-32-jm-darwin           	0x00060bf0 js_InternalInvoke + 208
10  js-opt-32-jm-darwin           	0x0002a249 js_watch_set + 713
11  js-opt-32-jm-darwin           	0x00060561 js_Invoke + 865
12  js-opt-32-jm-darwin           	0x00060bf0 js_InternalInvoke + 208
13  js-opt-32-jm-darwin           	0x00060cd3 js_InternalGetOrSet + 115
14  js-opt-32-jm-darwin           	0x00069e57 js_NativeSet + 295
15  js-opt-32-jm-darwin           	0x0006d7d4 js_SetPropertyHelper + 948
16  js-opt-32-jm-darwin           	0x00050a79 js_Interpret + 1385
17  js-opt-32-jm-darwin           	0x0005fdcc js_Execute + 860
18  js-opt-32-jm-darwin           	0x0000dc0c JS_ExecuteScript + 60
19  js-opt-32-jm-darwin           	0x00004b35 Process(JSContext*, JSObject*, char*, int) + 1621
20  js-opt-32-jm-darwin           	0x00008a06 main + 1734
21  js-opt-32-jm-darwin           	0x0000287d _start + 208
22  js-opt-32-jm-darwin           	0x000027ac start + 40

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 1 • 15 years ago

Pass this into the shell as a CLI argument (./js testcase.js) to reproduce.

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 2 • 15 years ago

(Note: not the smallest regression window)

Works in JM rev 46534269b967, but not in JM rev 71ed74081c2d.

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Comment 3 • 15 years ago

This happens fairly often - and with various crash locations too, though almost all include js::StackSpace::mark.

	Luke Wagner [:luke]
	Comment 4 • 15 years ago

GC, watchpoints, setters, Function(), and sharp objects oh my!  All to expose a very very silly bug.  Pushed with testcase.
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/62e9f6dd66b9

	Brendan Eich [:brendan]
	Comment 5 • 15 years ago

Luke, is there a simple template inline function to help avoid this mistake and to consolidate all the mechanical length * sizeof(ELEM) noise?

/be

	Luke Wagner [:luke]
	Comment 6 • 15 years ago

There could easily be.  How do these signatures look:

namespace js {
template <class T> void memset_elem(T *elem, int value);
template <class T> void memset_elems(T *elem, int value, int nelems);
}

	Brendan Eich [:brendan]
	Comment 7 • 15 years ago

Great -- jorendorff, waldo, or another hacker more expert at C++ should buddy. I'd go further and add memzero (bzero in BSD Unixes of old), since mostly we are memset'ing zeroes.

/be

	Luke Wagner [:luke]
	Comment 8 • 15 years ago

Filed bug 551276.

	Christian Holler (:decoder)
	Comment 9 • 12 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug550665.js.