spidermonkey: perhaps bug in jsarena.c:JS_ArenaRealloc
Jens Thiele
it seems it only happens if the realloc moved the memory
(in line 250)
realloc moved: 1
(a->base <= a->avail && a->avail <= a->limit)==false
(1010288080 <= 1010290440 && 1010290440 <= 1010290437)==false
version: 1.5rc6
build without nspr (and perhaps my build is broken)
unfortunately it is difficult to reproduce
happens only when i run my prog with valgrind
unfortunately i don't get a working core dump nor does attaching the
debugger work ....
i tried to get a backtrace anyway and did some changes to jsarena.c for
debugging (see below)
perhaps useless backtrace:
Obtained 24 stack frames.
./egaserver [0x806cbfe]
./egaserver(JS_ArenaRealloc+0x329) [0x806cfc6]
./egaserver [0x80ba302]
./egaserver [0x80ba6a5]
./egaserver(js_QuoteString+0x67) [0x80ba86a]
./egaserver(js_ValueToSource+0x3a) [0x80e3fb2]
./egaserver(js_obj_toSource+0x5f4) [0x80b0ff0]
./egaserver(js_Invoke+0xbae) [0x809a1d5]
./egaserver(js_InternalInvoke+0x117) [0x809a5e8]
./egaserver(js_TryMethod+0x9a) [0x80b8753]
./egaserver(js_ValueToSource+0xf2) [0x80e406a]
./egaserver(js_obj_toSource+0x5f4) [0x80b0ff0]
./egaserver(js_Invoke+0xbae) [0x809a1d5]
./egaserver(js_Interpret+0xba6b) [0x80a68c7]
./egaserver(js_Invoke+0xc22) [0x809a249]
./egaserver(js_Interpret+0xba6b) [0x80a68c7]
./egaserver(js_Execute+0x29c) [0x809aa80]
./egaserver(JS_EvaluateUCScriptForPrincipals+0x89) [0x806b9a6]
./egaserver(JS_EvaluateUCScript+0x4f) [0x806b917]
./egaserver(JS_EvaluateScript+0x72) [0x806b807]
./egaserver(_ZN10ECMAScript4evalERSiPKc+0xa7) [0x805dd37]
./egaserver(main+0xd82) [0x805a7d2]
/lib/libc.so.6(__libc_start_main+0xc6) [0x3c16fdc6]
./egaserver(_Znwj+0x55) [0x80575e1]
the changes i made for debugging:
--- /home/jens/down/js/mozilla/js/src/jsarena.c 2003-11-15
01:10:56.000000000 +0100
+++ ../spidermonkey-1.5rc6/src/jsarena.c 2004-04-04 20:31:35.000000000 +0200
@@ -221,11 +221,36 @@
return p;
}
+
+static
+void
+my_backtrace()
+{
+#define MAXSTACK 200
+ void *array[MAXSTACK];
+ size_t size;
+ char **strings;
+ size_t i;
+
+ size = backtrace (array, MAXSTACK);
+ strings = backtrace_symbols (array, size);
+
+ printf("Obtained %u stack frames.\n",size);
+
+ for (i = 0; i < size; i++)
+ printf("%s\n",strings[i]);
+
+ free (strings);
+#undef MAXSTACK
+}
+
+
JS_PUBLIC_API(void *)
JS_ArenaRealloc(JSArenaPool *pool, void *p, size_t size, size_t incr)
{
JSArena **ap, *a, *b;
jsuword boff, aoff, extra, hdrsz, gross;
+ int moved=0;
/*
* Use the oversized-single-allocation header to avoid searching
for ap.
@@ -266,12 +291,22 @@
/* Now update *ap, the next link of the arena before a. */
*ap = a;
+ moved=1;
}
a->base = ((jsuword)a + hdrsz) & ~HEADER_BASE_MASK(pool);
a->limit = (jsuword)a + gross;
a->avail = JS_ARENA_ALIGN(pool, a->base + aoff);
- JS_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+ // JS_ASSERT(a->base <= a->avail && a->avail <= a->limit);
+ if (!(a->base <= a->avail && a->avail <= a->limit)) {
+ printf("realloc moved: %u",moved);
+ printf("(a->base <= a->avail && a->avail <= a->limit)==false\n");
+ printf("(%u <= %u && %u <=
%u)==false\n",a->base,a->avail,a->avail,a->limit);
+
+ my_backtrace();
+ char *segfault=0x0;
+ *segfault='K';
+ }
/* Check whether realloc aligned differently, and copy if necessary. */
if (boff != JS_UPTRDIFF(a->base, a))
Jens Thiele
(again using the modified jsarena.c version:)
(gdb) bt
#0 0x0806cfb0 in JS_ArenaRealloc (pool=0x402adef8, p=0x412b4bf8,
size=2, incr=2352) at jsarena.c:308
308 *segfault='K';
(gdb) i s
#0 0x0806cfb0 in JS_ArenaRealloc (pool=0x402adef8, p=0x412b4bf8,
size=2, incr=2352) at jsarena.c:308
#1 0x080ba2d6 in SprintAlloc (sp=0xbfffe4a0, nb=2352) at jsopcode.c:321
#2 0x080ba679 in QuoteString (sp=0xbfffe4a0, str=0x402b74b0, quote=34)
at jsopcode.c:412
#3 0x080ba83e in js_QuoteString (cx=0x402adebc, str=0x402b74b0,
quote=34) at jsopcode.c:450
#4 0x080e3f86 in js_ValueToSource (cx=0x402adebc, v=1076589748) at
jsstr.c:2676
#5 0x080b0fc4 in js_obj_toSource (cx=0x402adebc, obj=0x402b7270,
argc=0, argv=0x411973a4, rval=0xbfffe700) at jsobj.c:781
#6 0x0809a1a9 in js_Invoke (cx=0x402adebc, argc=0, flags=2) at
jsinterp.c:941
#7 0x0809a5bc in js_InternalInvoke (cx=0x402adebc, obj=0x402b7270,
fval=1076584360, flags=0, argc=0, argv=0x0,
rval=0xbfffe894) at jsinterp.c:1035
#8 0x080b8727 in js_TryMethod (cx=0x402adebc, obj=0x402b7270,
atom=0x40361fe8, argc=0, argv=0x0, rval=0xbfffe894)
at jsobj.c:3519
#9 0x080e403e in js_ValueToSource (cx=0x402adebc, v=1076589168) at
jsstr.c:2686
#10 0x080b0fc4 in js_obj_toSource (cx=0x402adebc, obj=0x402b7268,
argc=0, argv=0x41197388, rval=0xbfffea70) at jsobj.c:781
#11 0x0809a1a9 in js_Invoke (cx=0x402adebc, argc=0, flags=0) at
jsinterp.c:941
#12 0x080a689b in js_Interpret (cx=0x402adebc, result=0xbfffef7c) at
jsinterp.c:2962
#13 0x0809a21d in js_Invoke (cx=0x402adebc, argc=1, flags=0) at
jsinterp.c:958
#14 0x080a689b in js_Interpret (cx=0x402adebc, result=0xbffff5a8) at
jsinterp.c:2962
#15 0x0809aa54 in js_Execute (cx=0x402adebc, chain=0x402b5f48,
script=0x411c0c24, down=0x0, special=0, result=0xbffff5a8)
at jsinterp.c:1155
#16 0x0806b986 in JS_EvaluateUCScriptForPrincipals (cx=0x402adebc,
obj=0x402b5f48, principals=0x0, chars=0x4110d0cc,
length=14232, filename=0x80e8319 "stdin", lineno=1, rval=0xbffff5a8)
at jsapi.c:3530
#17 0x0806b8f7 in JS_EvaluateUCScript (cx=0x402adebc, obj=0x402b5f48,
chars=0x4110d0cc, length=14232,
filename=0x80e8319 "stdin", lineno=1, rval=0xbffff5a8) at jsapi.c:3511
#18 0x0806b7e7 in JS_EvaluateScript (cx=0x402adebc, obj=0x402b5f48,
bytes=0x40dd001c "// networked pong
clone\n\nframes=1024;\nspriteSize=new
V2D(100,100);\nsx=1024;\nsy=768;\nrackets=[];\n\nEGachine.addResource(\"racket\",
'\\\niVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAAAmJLR0QA/4ePzL8AAAAJc"...,
length=14232, filename=0x80e8319 "stdin", lineno=1, rval=0xbffff5a8)
at jsapi.c:3479
#19 0x0805dd17 in ECMAScript::eval(std::istream&, char const*)
(in=@0x81001a0, resname=0x0) at basic_string.h:717
#20 0x0805a8b5 in main (argc=1, argv=0xbffffb44) at server/server.cpp:358
some more info:
(gdb) print *a
$2 = {next = 0x0, base = 1093347016, limit = 1093349373, avail = 1093349376}
(gdb) print ap
$3 = (JSArena **) 0x402adef8
(gdb) print a
$4 = (JSArena *) 0x412b26ac
(gdb) print b
$5 = (JSArena *) 0x0
(gdb) print boff
$6 = 16
(gdb) print aoff
$7 = 2354
(gdb) print extra
$8 = 8
(gdb) print hdrsz
$9 = 31
(gdb) print gross
$10 = 2385
(gdb) print size
$12 = 2
(gdb) print *pool
$13 = {first = {next = 0x412b26ac, base = 1076551432, limit =
1076551432, avail = 1076551432}, current = 0x412b26ac,
arenasize = 1024, mask = 7}
hope this helps
karme
Jens Thiele
/*
test case
1) compile spidermonkey with -DDEBUG
2) run program with valgrind or link to efence - to get realloc in
jsarena.c:250 to move memory
*/
#include <jsapi.h>
#include <string.h>
JSBool
foo(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval) {
return JS_TRUE;
}
int
main(int argc, char** argv)
{
JSRuntime *rt;
JSContext *cx;
JSObject *glob;
JSClass global_class = {
"global",0,
JS_PropertyStub,JS_PropertyStub,JS_PropertyStub,JS_PropertyStub,
JS_EnumerateStub,JS_ResolveStub,JS_ConvertStub,JS_FinalizeStub,
0,0,0,0,0,0,0,0
};
if (!(rt = JS_NewRuntime(8L * 1024L * 1024L))) return 1;
if (!(cx = JS_NewContext(rt, 2<<13))) return 1;
if (!(glob = JS_NewObject(cx, &global_class, NULL, NULL))) return 1;
if (!JS_InitStandardClasses(cx, glob)) return 1;
JS_DefineFunction(cx, glob, "foo", foo, 1, 0);
char
*script="x='------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------';foo(x.toSource());";
jsval rval;
JS_EvaluateScript(cx, glob, script, strlen(script), "script", 1, &rval);
if (cx) {
JS_DestroyContext(cx);
cx = NULL;
}
if (rt) {
JS_DestroyRuntime(rt);
rt = NULL;
}
JS_ShutDown();
return 0;
}
sample debug session:
r
[New Thread 16384 (LWP 29733)]
Program received signal SIGABRT, Aborted.
[Switching to Thread 16384 (LWP 29733)]
0x40079571 in kill () from /lib/libc.so.6
bt
#0 0x40079571 in kill () from /lib/libc.so.6
#1 0x4018b761 in pthread_kill () from /lib/libpthread.so.0
#2 0x4018ba6b in raise () from /lib/libpthread.so.0
#3 0x40079324 in raise () from /lib/libc.so.6
#4 0x4007a838 in abort () from /lib/libc.so.6
#5 0x080cc97a in JS_Assert (s=0x80d2d60 "a->base <= a->avail &&
a->avail <= a->limit", file=0x80d2ca0 "jsarena.c",
ln=274) at jsutil.c:155
#6 0x08053fc8 in JS_ArenaRealloc (pool=0x401e2ef8, p=0x40a16bf8,
size=2, incr=2000) at jsarena.c:274
#7 0x080a12ea in SprintAlloc (sp=0xbffff310, nb=2000) at jsopcode.c:321
#8 0x080a168d in QuoteString (sp=0xbffff310, str=0x401ebc28, quote=34)
at jsopcode.c:412
#9 0x080a1852 in js_QuoteString (cx=0x401e2ebc, str=0x401ebc28,
quote=34) at jsopcode.c:450
#10 0x080c5276 in str_toSource (cx=0x401e2ebc, obj=0x401ebc30, argc=0,
argv=0x40a0401c, rval=0xbffff4b0) at jsstr.c:618
#11 0x080811bd in js_Invoke (cx=0x401e2ebc, argc=0, flags=0) at
jsinterp.c:941
#12 0x0808d8af in js_Interpret (cx=0x401e2ebc, result=0xbffffaa8) at
jsinterp.c:2962
#13 0x08081a68 in js_Execute (cx=0x401e2ebc, chain=0x401eaf48,
script=0x40a0cfac, down=0x0, special=0, result=0xbffffaa8)
at jsinterp.c:1155
#14 0x08052abe in JS_EvaluateUCScriptForPrincipals (cx=0x401e2ebc,
obj=0x401eaf48, principals=0x0, chars=0x409f7030,
length=2023, filename=0x80cf968 "script", lineno=1, rval=0xbffffaa8)
at jsapi.c:3530
#15 0x08052a2f in JS_EvaluateUCScript (cx=0x401e2ebc, obj=0x401eaf48,
chars=0x409f7030, length=2023,
filename=0x80cf968 "script", lineno=1, rval=0xbffffaa8) at jsapi.c:3511
#16 0x0805291f in JS_EvaluateScript (cx=0x401e2ebc, obj=0x401eaf48,
bytes=0x80cf180 "x='", '-' <repeats 197 times>...,
length=2023, filename=0x80cf968 "script", lineno=1, rval=0xbffffaa8)
at jsapi.c:3479
#17 0x0804a044 in main (argc=1, argv=0xbffffb64) at bug.c:38
up 6
#6 0x08053fc8 in JS_ArenaRealloc (pool=0x401e2ef8, p=0x40a16bf8,
size=2, incr=2000) at jsarena.c:274
274 JS_ASSERT(a->base <= a->avail && a->avail <= a->limit);
print a
$1 = (JSArena *) 0x40a1480c
print *a
$2 = {next = 0x0, base = 1084311592, limit = 1084313597, avail = 1084313600}
print pool
$3 = (JSArenaPool *) 0x401e2ef8
print p
$4 = (void *) 0x40a16bf8
print size
$5 = 2
print incr
$6 = 2000
print ap
$7 = (JSArena **) 0x401e2ef8
print *ap
$8 = (JSArena *) 0x40a1480c
print b
$9 = (JSArena *) 0x0
print boff
$10 = 16
print aoff
$11 = 2002
print extra
$12 = 8
print hdrsz
$13 = 31
up
#7 0x080a12ea in SprintAlloc (sp=0xbffff310, nb=2000) at jsopcode.c:321
321 JS_ARENA_GROW_CAST(sp->base, char *, sp->pool, sp->size, nb);
l
316 SprintAlloc(Sprinter *sp, size_t nb)
317 {
318 if (!sp->base) {
319 JS_ARENA_ALLOCATE_CAST(sp->base, char *, sp->pool, nb);
320 } else {
321 JS_ARENA_GROW_CAST(sp->base, char *, sp->pool, sp->size, nb);
322 }
323 if (!sp->base) {
324 JS_ReportOutOfMemory(sp->context);
325 return JS_FALSE;
Brendan Eich
> getting towards a testcase:
Thanks for the great testcase reduction and diagnostic info!
Bug filed: http://bugzilla.mozilla.org/show_bug.cgi?id=239721 -- I'll
fix ASAP.
/be