Closed Bug 525943 Opened 15 years ago Closed 15 years ago

TM: Debug assert @ NewFinalizableGCThing for www.yahoo.com

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: luke, Unassigned)

References

Details

(Whiteboard: fixed-in-tracemonkey) 

The assert is reproducible, just go to http://www.yahoo.com and keep hitting refresh.

This is for tracemonkey tip (pulled today), built with --enable-debug --disable-optimize on Ubuntu.

Assertion failure: JS_ON_TRACE(cx), at /home/andhow/moz/safemonkey/js/src/jsgc.cpp:1514

bt:
#0  0xb7f98430 in __kernel_vsyscall ()
#1  0xb7f784b0 in raise () from /lib/tls/i686/cmov/libpthread.so.0
#2  0xb7e320a5 in JS_Assert (s=0xb7ed1b16 "JS_ON_TRACE(cx)", file=0xb7ecfc34 "/home/andhow/moz/safemonkey/js/src/jsgc.cpp", ln=1514)
    at /home/andhow/moz/safemonkey/js/src/jsutil.cpp:70
#3  0xb7d867bd in NewFinalizableGCThing (cx=0xb6a0ba00, thingKind=0) at /home/andhow/moz/safemonkey/js/src/jsgc.cpp:1514
#4  0xb7dcbc15 in js_NewGCObject (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jsgc.h:275
#5  0xb7dccfa0 in js_NewObjectWithGivenProto (cx=0xb6a0ba00, clasp=0xb7ef7ee0, proto=0x0, parent=0xa7747c20, objectSize=0)
    at /home/andhow/moz/safemonkey/js/src/jsobj.cpp:2253
#6  0xb7d7c0fd in js_GetCallObject (cx=0xb6a0ba00, fp=0xb01a225c) at /home/andhow/moz/safemonkey/js/src/jsfun.cpp:819
#7  0xb7e7111b in FlushNativeStackFrame (cx=0xb6a0ba00, callDepth=3, mp=0xaa968b20, np=0xbf8ecf30, stopFrame=0x0, ignoreSlots=0)
    at /home/andhow/moz/safemonkey/js/src/jstracer.cpp:3418
#8  0xb7e72140 in LeaveTree (state=@0xbf8ec660, lr=0xaa968acc) at /home/andhow/moz/safemonkey/js/src/jstracer.cpp:6808
#9  0xb7e723a3 in js_DeepBail (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jstracer.cpp:7803
#10 0xb7db2c88 in js_LeaveTrace (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jscntxt.h:1838
#11 0xb7db2c9f in js_GetTopStackFrame (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jscntxt.h:1869
#12 0xb7db2d11 in js_ComputeGlobalThis (cx=0xb6a0ba00, lazy=0, argv=0xbf8ec610) at /home/andhow/moz/safemonkey/js/src/jsinterp.cpp:912
#13 0xb7db3011 in js_ComputeThis (cx=0xb6a0ba00, lazy=0, argv=0xbf8ec610) at /home/andhow/moz/safemonkey/js/src/jsinterp.cpp:967
#14 0xb7d248a3 in JS_ComputeThis (cx=0xb6a0ba00, vp=0xbf8ec608) at /home/andhow/moz/safemonkey/js/src/jsapi.cpp:1832
#15 0xb7dd0bb8 in obj_toString (cx=0xb6a0ba00, argc=0, vp=0xbf8ec608) at /home/andhow/moz/safemonkey/js/src/jsobj.cpp:1066
#16 0xb434926a in ?? ()
#17 0xb7e731ac in ExecuteTree (cx=0xb6a0ba00, f=0xa6afae9c, inlineCallCount=@0xbf8f5d10, innermostNestedGuardp=0xbf8f5798)
    at /home/andhow/moz/safemonkey/js/src/jstracer.cpp:6479
#18 0xb7e7ed43 in js_MonitorLoopEdge (cx=0xb6a0ba00, inlineCallCount=@0xbf8f5d10, reason=Record_Branch)
    at /home/andhow/moz/safemonkey/js/src/jstracer.cpp:6966
#19 0xb7d8bdb8 in js_Interpret (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jsops.cpp:360
#20 0xb7db4eb7 in js_Invoke (cx=0xb6a0ba00, argc=1, vp=0xb01a2064, flags=0) at /home/andhow/moz/safemonkey/js/src/jsinterp.cpp:1383
#21 0xb7d798b7 in js_fun_apply (cx=0xb6a0ba00, argc=1, vp=0xb01a202c) at /home/andhow/moz/safemonkey/js/src/jsfun.cpp:2034
#22 0xb7da0a57 in js_Interpret (cx=0xb6a0ba00) at /home/andhow/moz/safemonkey/js/src/jsops.cpp:2275
#23 0xb7db4eb7 in js_Invoke (cx=0xb6a0ba00, argc=1, vp=0xb01a2020, flags=0) at /home/andhow/moz/safemonkey/js/src/jsinterp.cpp:1383
#24 0xb7db5649 in js_InternalInvoke (cx=0xb6a0ba00, obj=0xaa5a4ec0, fval=-1485528256, flags=0, argc=1, argv=0xa747f550, rval=0xbf8f66a0)
    at /home/andhow/moz/safemonkey/js/src/jsinterp.cpp:1438
---Type <return> to continue, or q <return> to quit---c
#25 0xb7d226e9 in JS_CallFunctionValue (cx=0xb6a0ba00, obj=0xaa5a4ec0, fval=-1485528256, argc=1, argv=0xa747f550, rval=0xbf8f66a0)
    at /home/andhow/moz/safemonkey/js/src/jsapi.cpp:5119
#26 0xb2198584 in nsJSContext::CallEventHandler (this=0xb01ff580, aTarget=0xab7f6400, aScope=0xaa5a4ec0, aHandler=0xa774a340, aargv=0xab16f2e4, 
    arv=0xbf8f67f8) at /home/andhow/moz/safemonkey/dom/base/nsJSEnvironment.cpp:2093
#27 0xb21d2207 in nsGlobalWindow::RunTimeout (this=0xab7f6400, aTimeout=0xaa9c3b40) at /home/andhow/moz/safemonkey/dom/base/nsGlobalWindow.cpp:8029
#28 0xb21d27b0 in nsGlobalWindow::TimerCallback (aTimer=0xaa9c3b80, aClosure=0xaa9c3b40)
    at /home/andhow/moz/safemonkey/dom/base/nsGlobalWindow.cpp:8363
#29 0xb7ca91be in nsTimerImpl::Fire (this=0xaa9c3b80) at /home/andhow/moz/safemonkey/xpcom/threads/nsTimerImpl.cpp:427
#30 0xb7ca93ef in nsTimerEvent::Run (this=0xab16f300) at /home/andhow/moz/safemonkey/xpcom/threads/nsTimerImpl.cpp:519
#31 0xb7ca1e6b in nsThread::ProcessNextEvent (this=0xb6acca10, mayWait=1, result=0xbf8f6990)
    at /home/andhow/moz/safemonkey/xpcom/threads/nsThread.cpp:527
#32 0xb7c27cd1 in NS_ProcessNextEvent_P (thread=0xb6acca10, mayWait=1) at nsThreadUtils.cpp:239
#33 0xb18dc702 in nsBaseAppShell::Run (this=0xb2b36240) at /home/andhow/moz/safemonkey/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#34 0xb2d4bd4d in nsAppStartup::Run (this=0xb1755070) at /home/andhow/moz/safemonkey/toolkit/components/startup/src/nsAppStartup.cpp:182
#35 0xb7f2ec06 in XRE_main (argc=1, argv=0xbf8f7054, aAppData=0xb6a06540) at /home/andhow/moz/safemonkey/toolkit/xre/nsAppRunner.cpp:3471
#36 0x08049af2 in main (argc=1, argv=0xbf8f7054) at /home/andhow/moz/safemonkey/browser/app/nsBrowserApp.cpp:156
David, I wonder whether this is the call object part of the issue we fixed last week (the call object reserve list).
(In reply to comment #1)
> David, I wonder whether this is the call object part of the issue we fixed last
> week (the call object reserve list).

I think it is. dbaron hit it over the weekend and I took a look. I think it's bogus, the assert will always fire.
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/0bbf37182480
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.