Closed Bug 215878 Opened 22 years ago Closed 22 years ago

Assertion failure with JS Strict warnings enabled

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: Matti, Assigned: brendan)

References

(
URL
)

Details

(Keywords: crash, js1.5)

Attachments

(2 files, 2 obsolete files)

Console output + stack trace
7.74 KB, text/plain
Details
the fix, v3
5.68 KB, patch
Details | Diff | Splinter Review
confirmed from "WD" with his win2k MSVC7 build and also with my 20030811 MSVC6 debug 1) start you Mozilla win32 debug build 2) Enable JS strict warnings in edit\preferences\debug 3) load URL (http://www.plumtree.com) 4) get an assertion failure (see attachment) Assertion failure: top != 0, at d:/moz_source/gmake/mozilla/win32_de/js/src/../. ./../js/src/jsopcode.c:625
Similar description to the recent crasher, bug 214761, "Loading page crashes when js.options.strict is true" [@ MSVCRT.DLL ] [@ js_DecompileCode] However, that was fixed on 2003-08-05.
Assignee: rogerl → khanson
Keywords: crash
Perhaps the reporter has not updated js/src/jsscript.c to rev 3.43? That is the cure for the symptom reported here. /be *** This bug has been marked as a duplicate of 214761 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
I do have jsscript.c rev 3.43, and I see this bug. So maybe something else is up here...
D:\moz_source\gmake>cvs status mozilla/js/src/jsscript.c =================================================================== File: jsscript.c Status: Up-to-date Working revision: 3.43 Repository revision: 3.43 /cvsroot/mozilla/js/src/jsscript.c,v Sticky Tag: (none) Sticky Date: (none) Sticky Options: (none) reopening, sorry if I waste your time ! This is a full clobber build with a complete checkout from yesterday (no modified files, no conflicts during the checkout)
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Crikey. Debugging now. /be
Assignee: khanson → brendan
Status: REOPENED → NEW
Flags: blocking1.5b?
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta
Attached patch the fix (obsolete) — Splinter Review
Thanks for finding this bug! /be
Attachment #129692 - Flags: review?(shaver)
Comment on attachment 129692 [details] [diff] [review] the fix Do this assertion > JS_ASSERT((unsigned) delta < (unsigned) SN_XDELTA_LIMIT); and this clamping >+ delta = JS_MIN(offset, SN_XDELTA_LIMIT); combine to provide a fencepost error? If offset > SN_XDELTA_LIMIT, I would expect us to botch the assertion. If you've tested with a case that makes that relation true, though, then I'm eager to learn why it's OK.
Attachment #129692 - Flags: review?(shaver)
Attached patch the fix, v2 (obsolete) — Splinter Review
He's still shaver-ific! /be
Attachment #129694 - Flags: review?(shaver)
Attachment #129692 - Attachment is obsolete: true
Comment on attachment 129694 [details] [diff] [review] the fix, v2 Looks good. r=shaver.
Attachment #129694 - Flags: review?(shaver) → review+
Comment on attachment 129694 [details] [diff] [review] the fix, v2 Want this for 1.5b, for sure. Easy crash fix. /be
Attachment #129694 - Flags: approval1.5b?
Comment on attachment 129694 [details] [diff] [review] the fix, v2 a=dveditz for drivers
Attachment #129694 - Flags: approval1.5b? → approval1.5b+
Fixed (I tightened up a cast in jsscript.c:js_GetSrcNote while I was at it). /be
Status: NEW → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
Matti and/or WD: could you report back on this when you have a new build with this fix? Thanks -
tinderbox is orange following this checkin, and my debug build crashes in JS land. here's the stack: #0 0x42074501 in _int_free () from /lib/tls/libc.so.6 #1 0x420734d6 in free () from /lib/tls/libc.so.6 #2 0x40031940 in FreeArenaList (pool=0x84283b0, head=0x84283b0, reallyFree=1) at /builds/moz-trunk/mozilla/js/src/jsarena.c:326 #3 0x40031a85 in JS_ArenaRelease (pool=0x84283b0, mark=0x84283c0 "`?J\b") at /builds/moz-trunk/mozilla/js/src/jsarena.c:354 #4 0x4004854e in js_FinishCodeGenerator (cx=0x8428340, cg=0xbfffd570) at /builds/moz-trunk/mozilla/js/src/jsemit.c:97 #5 0x4002f353 in CompileTokenStream (cx=0x8428340, obj=0x8461740, ts=0x8401060, tempMark=0x84283c0, eofp=0x0) at /builds/moz-trunk/mozilla/js/src/jsapi.c:2971 #6 0x4002f4f2 in JS_CompileUCScriptForPrincipals (cx=0x8428340, obj=0x8461740, principals=0x82346c4, chars=0x84a1cc0, length=8951, filename=0xbfffd740 "chrome://communicator/content/viewZoomOverlay.js", lineno=1) at /builds/moz-trunk/mozilla/js/src/jsapi.c:3036 #7 0x43261b13 in nsJSContext::CompileScript(unsigned short const*, int, void*, nsIPrincipal*, char const*, unsigned, char const*, void**) (this=0x8429f00, aText=0x84a1cc0, aTextLength=8951, aScopeObject=0x8461740, aPrincipal=0x82346c0, aURL=0xbfffd740 "chrome://communicator/content/viewZoomOverlay.js", aLineNo=1, aVersion=0x400b54af "default", aScriptObject=0x8490d40) at /builds/moz-trunk/mozilla/dom/src/base/nsJSEnvironment.cpp:948 #8 0x4181ca96 in nsXULPrototypeScript::Compile(unsigned short const*, int, nsIURI*, unsigned short, nsIDocument*, nsIXULPrototypeDocument*) (this=0x8490d28, aText=0x84a1cc0, aTextLength=8951, aURI=0x8271870, aLineNo=1, aDocument=0x82dc910, aPrototypeDocument=0x849e060) at /builds/moz-trunk/mozilla/content/xul/content/src/nsXULElement.cpp:5208 #9 0x417b09b3 in nsXULDocument::OnStreamComplete(nsIStreamLoader*, nsISupports*, unsigned, unsigned, char const*) ( this=0x82dc910, aLoader=0x848c7e8, context=0x0, aStatus=0, stringLen=8951, string=0x849f9c0 "/* -*- Mode: Java; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-\n\n * The contents of this file are subject to the Mozilla Public\n * License Version 1.1 (the \"License\"); you may not use th"...) at /builds/moz-trunk/mozilla/content/xul/document/src/nsXULDocument.cpp:3325 #10 0x40e7b239 in nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned) (this=0x848c7e8, request=0x848c9b0, ctxt=0x0, aStatus=0) at /builds/moz-trunk/mozilla/netwerk/base/src/nsStreamLoader.cpp:141 #11 0x40f244e6 in nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned) (this=0x848c9b0, req=0x848cc60, ctx=0x0, status=0) at /builds/moz-trunk/mozilla/netwerk/protocol/jar/src/nsJARChannel.cpp:677 #12 0x40e4e046 in nsInputStreamPump::OnStateStop() (this=0x848cc60) at /builds/moz-trunk/mozilla/netwerk/base/src/nsInputStreamPump.cpp:483 #13 0x40e4da09 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (this=0x848cc60, stream=0x848ccbc) at /builds/moz-trunk/mozilla/netwerk/base/src/nsInputStreamPump.cpp:324 #14 0x40aaf80d in nsInputStreamReadyEvent::EventHandler(PLEvent*) (plevent=0x849dbec) at /builds/moz-trunk/mozilla/xpcom/io/nsStreamUtils.cpp:116 #15 0x40ad4750 in PL_HandleEvent (self=0x849dbec) at /builds/moz-trunk/mozilla/xpcom/threads/plevent.c:671 #16 0x40ad45f1 in PL_ProcessPendingEvents (self=0x8112d60) at /builds/moz-trunk/mozilla/xpcom/threads/plevent.c:606 #17 0x40ad6b2a in nsEventQueueImpl::ProcessPendingEvents() (this=0x8112d18) at /builds/moz-trunk/mozilla/xpcom/threads/nsEventQueue.cpp:391 #18 0x41bbbb34 in event_processor_callback (source=0x82c6198, condition=G_IO_IN, data=0x8112d18) at /builds/moz-trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:67 #19 0x404feddf in g_vsnprintf () from /usr/lib/libglib-2.0.so.0 #20 0x404ddb35 in g_get_current_time () from /usr/lib/libglib-2.0.so.0 #21 0x404deb78 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #22 0x404dee8d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #23 0x404df58f in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #24 0x40205f5f in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #25 0x41bbc23e in nsAppShell::Run() (this=0x8191208) at /builds/moz-trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:142 #26 0x41b63c33 in nsAppShellService::Run() (this=0x81525a8) at /builds/moz-trunk/mozilla/xpfe/appshell/src/nsAppShellService.cpp:483 #27 0x080688c9 in main1 (argc=3, argv=0xbfffdee4, nativeApp=0x80fa6a0) at /builds/moz-trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1290 #28 0x0806937f in main (argc=3, argv=0xbfffdee4) at /builds/moz-trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1669 #29 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6 i'll try backing out this change to see if it resolves the problem.
ok, i went ahead and backed out these changes to clear the startup crash. let me know if you need any help reproducing the problem. reopening this bug...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch the fix, v3Splinter Review
I can't believe I forgot to update CG_COUNT_FINAL_SRCNOTES! This ought to fix it, waiting for darin to confirm (many thanks to him for his help finding this). /be
Attachment #129694 - Attachment is obsolete: true
looks good. mozilla successfully generates the fastload file w/ the v3 patch :)
Fixed, for sure. I must remember to nuke my FastLoad file when testing.... /be
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
Looks good.
Blocks: 216023
verified fixed (1h old win2k debug build) Thanks brendan, this is a great example that bug reporting makes still sense !
Status: RESOLVED → VERIFIED
Flags: blocking1.5b?
Flags: testcase-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: