Segfault on GC

[dmitris]

Getting a segmentation fault while running unit_tests.js

Array map new Array A string abcdefghilmnopqrstuvz.tainted true
Array map new Array A string 1234567890.tainted true
Array join v.tainted
[Ko] String in Object test Object.keys(obj)[1].tainted 'd' in obj String in Object tainted keys Object.keys(obj)[1].tainted
GCCalled

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000010
0x00000001000d7cc4 in js::gc::MarkGCThing (trc=, thing=Cannot access memory at address 0xffffffffffffffef
) at dominator/js/src/jsgcmark.cpp:435
435 JS_SET_TRACING_NAME(trc, name);

(gdb) bt
#0 0x00000001000d7cc4 in js::gc::MarkGCThing (trc=, thing=0x0, name=) at dominator/js/src/jsgcmark.cpp:435
#1 0x0000000100089579 in markLiveObjects (cx=0x0, theStatus=JSGC_END) at dominator/js/src/taint.cpp:261
#2 0x00000001000bef67 in MarkAndSweep (cx=, comp=, gckind=, gcTimer=@0x10400c208) at dominator/js/src/jsgc.cpp:2298
#3 0x00000001000c0901 in GCCycle (cx=, comp=, gckind=, gcTimer=@0x181e414a3) at dominator/js/src/jsgc.cpp:2653
#4 0x00000001000c0c0f in js_GC (cx=, comp=, gckind=) at dominator/js/src/jsgc.cpp:2739
#5 0x000000010007373c in js_DestroyContext (cx=0x100510148, mode=JSDCM_MAYBE_GC) at dominator/js/src/jscntxt.cpp:533
#6 0x00000001000417f5 in JS_DestroyContext (cx=0x7fff5fbff440) at dominator/js/src/jsapi.cpp:1014
#7 0x000000010000999a in DestroyContext (cx=Cannot access memory at address 0xffffffffffffffe7

) at dominator/js/src/shell/js.cpp:5215
#8 0x0000000100014158 in main (argc=Cannot access memory at address 0xffffffffffffff1b

) at dominator/js/src/shell/js.cpp:5674
(gdb)

[wisec]

Thanks Dmitri,
it seems the GC callback is no more the correct way to deal with what we want to do.
The fix is easy but nevertheless we need to find a better way to deal with GC.

[wisec]

Fixed it.
Also I hope to have solved the GC management on tainted strings.