| | <<<Back 1 day (to 2020/07/02) | Fwd 1 day (to 2020/07/04)>>> | 20200703 |
| avih | ator: i found the issue. well, at least one issue. in jsG_scanObject, when obj->type == JS_CITERATOR, you don't also test if obj->u.iter.target->gcmark != mark and just call markbject unconditionally. if an iterator is referenced more than once (apparently it happens), then before the gc de-recurse nothing happened unless they were cycles, and apparently there were not. but with the gc de-recurse, marking an object twice breaks the linked list, which ends up | 19:08.44 |
| | with objects skipped and not scanned, which end up in objects which should be marked not getting marked, and later freed incorrectly. | 19:08.44 |
| | this brings up a potential second issue, where initially js_gc does many unconditional jsG_markobject (the prototypes, the registry, and the global env). if one of those happens to be referenced more than once, then it will end up with the same issue, though so far i don't think i reproduced it. | 19:11.08 |
| | not sure if the solution is to test obj->mark != mark before each of those "top level" markings, or just move this test to jsG_markobject, and remove the test in all the other places. | 19:12.01 |
| | at the "main" bug, rather, if the iterated object is referenced more than once | 19:12.58 |
| | which is not unlikely at all | 19:13.23 |
| | actually, i don't think the "global" markings are an issue. it just inserts independent objects to the list (well, maybe except J->E and J->JE are typically the same and therefore marked twice, but as environment, and their `variables' is tested before markobject, so not really an issue either) | 20:37.24 |
| | J->E, J->GE | 20:37.41 |
| | also, i don't think stack traces would have yielded anything useful. the errors were all kinds, typically not callable things, but also segmentation faults and others. it's just random errors from use-after-free | 20:48.30 |
| | ator: patch here https://github.com/ccxvii/mujs/issues/136#issuecomment-653670307 | 20:48.34 |
| | might be worth adding assert(obj->mark != mark) at jsG_markobject | 20:51.45 |
| | though it's likely to add performance penalty. at least when compiled in mingw, this assert (i did try it) also fires when built for release | 20:52.42 |
| | and it can be pretty hot code | 20:53.08 |
| | <<<Back 1 day (to 2020/07/02) | Forward 1 day (to 2020/07/04)>>> | |
Log of #mupdf at irc.freenode.net.