Subj : spidermonkey: perhaps bug in jsarena.c:JS_ArenaRealloc To : netscape.public.mozilla.jseng From : Jens Thiele Date : Sun Apr 04 2004 09:39 pm i get an assertion in jsarena.c:274 it seems it only happens if the realloc moved the memory (in line 250) realloc moved: 1 (a->base <= a->avail && a->avail <= a->limit)==false (1010288080 <= 1010290440 && 1010290440 <= 1010290437)==false version: 1.5rc6 build without nspr (and perhaps my build is broken) unfortunately it is difficult to reproduce happens only when i run my prog with valgrind unfortunately i don't get a working core dump nor does attaching the debugger work .... i tried to get a backtrace anyway and did some changes to jsarena.c for debugging (see below) perhaps useless backtrace: Obtained 24 stack frames. ../egaserver [0x806cbfe] ../egaserver(JS_ArenaRealloc+0x329) [0x806cfc6] ../egaserver [0x80ba302] ../egaserver [0x80ba6a5] ../egaserver(js_QuoteString+0x67) [0x80ba86a] ../egaserver(js_ValueToSource+0x3a) [0x80e3fb2] ../egaserver(js_obj_toSource+0x5f4) [0x80b0ff0] ../egaserver(js_Invoke+0xbae) [0x809a1d5] ../egaserver(js_InternalInvoke+0x117) [0x809a5e8] ../egaserver(js_TryMethod+0x9a) [0x80b8753] ../egaserver(js_ValueToSource+0xf2) [0x80e406a] ../egaserver(js_obj_toSource+0x5f4) [0x80b0ff0] ../egaserver(js_Invoke+0xbae) [0x809a1d5] ../egaserver(js_Interpret+0xba6b) [0x80a68c7] ../egaserver(js_Invoke+0xc22) [0x809a249] ../egaserver(js_Interpret+0xba6b) [0x80a68c7] ../egaserver(js_Execute+0x29c) [0x809aa80] ../egaserver(JS_EvaluateUCScriptForPrincipals+0x89) [0x806b9a6] ../egaserver(JS_EvaluateUCScript+0x4f) [0x806b917] ../egaserver(JS_EvaluateScript+0x72) [0x806b807] ../egaserver(_ZN10ECMAScript4evalERSiPKc+0xa7) [0x805dd37] ../egaserver(main+0xd82) [0x805a7d2] /lib/libc.so.6(__libc_start_main+0xc6) [0x3c16fdc6] ../egaserver(_Znwj+0x55) [0x80575e1] the changes i made for debugging: --- /home/jens/down/js/mozilla/js/src/jsarena.c 2003-11-15 01:10:56.000000000 +0100 +++ ../spidermonkey-1.5rc6/src/jsarena.c 2004-04-04 20:31:35.000000000 +0200 @@ -221,11 +221,36 @@ return p; } + +static +void +my_backtrace() +{ +#define MAXSTACK 200 + void *array[MAXSTACK]; + size_t size; + char **strings; + size_t i; + + size = backtrace (array, MAXSTACK); + strings = backtrace_symbols (array, size); + + printf("Obtained %u stack frames.\n",size); + + for (i = 0; i < size; i++) + printf("%s\n",strings[i]); + + free (strings); +#undef MAXSTACK +} + + JS_PUBLIC_API(void *) JS_ArenaRealloc(JSArenaPool *pool, void *p, size_t size, size_t incr) { JSArena **ap, *a, *b; jsuword boff, aoff, extra, hdrsz, gross; + int moved=0; /* * Use the oversized-single-allocation header to avoid searching for ap. @@ -266,12 +291,22 @@ /* Now update *ap, the next link of the arena before a. */ *ap = a; + moved=1; } a->base = ((jsuword)a + hdrsz) & ~HEADER_BASE_MASK(pool); a->limit = (jsuword)a + gross; a->avail = JS_ARENA_ALIGN(pool, a->base + aoff); - JS_ASSERT(a->base <= a->avail && a->avail <= a->limit); + // JS_ASSERT(a->base <= a->avail && a->avail <= a->limit); + if (!(a->base <= a->avail && a->avail <= a->limit)) { + printf("realloc moved: %u",moved); + printf("(a->base <= a->avail && a->avail <= a->limit)==false\n"); + printf("(%u <= %u && %u <= %u)==false\n",a->base,a->avail,a->avail,a->limit); + + my_backtrace(); + char *segfault=0x0; + *segfault='K'; + } /* Check whether realloc aligned differently, and copy if necessary. */ if (boff != JS_UPTRDIFF(a->base, a)) .