569979 - Assertion failure building dehydra with SpiderMonkey tip

Status: RESOLVED FIXED

(Developer Infrastructure :: Source Code Analysis, defect)

Description

[Ehren Metcalfe]

Attachment: backtrace

Building dehydra against a debug build of Spidermonkey tip (rev. 25442798da4a) causes an assertion failure:

 /home/ehren/gcc4.5/dist.4.5.0/libexec/gcc/x86_64-unknown-linux-gnu/4.5.0/cc1plus -E -quiet -v -I/home/ehren/gcc4.5/dist.4.5.0/lib/gcc/x86_64-unknown-linux-gnu/4.5.0/plugin/include -I/home/ehren/dehydra-tests/SpiderMonkey/include/js/ -
I/home/ehren/dehydra-tests/SpiderMonkey/lib -I//home/ehren/local/include/js/ -D_GNU_SOURCE -DTREEHYDRA_CONVERT_JS -DXP_UNIX -DIN_GCC -DPLUGIN_NO_POISON -DHAVE_CONFIG_H -C gcc_cp_headers.h -mtune=generic -march=x86-64 -Wall -fpermissive
 -fshow-column -fPIC -fplugin=./gcc_dehydra.so -fplugin-arg-gcc_dehydra-=convert_tree.js -fpch-preprocess -o gcc_cp_headers.ii
Assertion failure: obj->getClass()->flags & JSCLASS_IS_GLOBAL, at ../jsobj.cpp:3410
cc1plus: internal compiler error: Aborted

Comment 1

[Ehren Metcalfe]

Attachment: doesn't work

Bug 561923 breaks this. This patch fails at runtime but I think something similar is required. I'm debugging but perhaps only flag changes in global_class are needed.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

What error happens after your patch?

Comment 3

[Ehren Metcalfe]

Attachment: run time assert fail backtrace

I get Assertion failure: !prev->isActive(), at ../jscntxt.h:1778 when running anything

Comment 4

[Ehren Metcalfe]

this patch works before rev b15fd8b568e4 (bug 558754).

trace with this revision:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1a7742c in js_GetGCThingRuntime (thing=0xdadadada00000000) at ../jsgc.cpp:879
879         return JSGCChunkInfo::fromChunk(chunk)->runtime;
Missing separate debuginfos, use: debuginfo-install elfutils-libelf-0.145-1.fc12.x86_64 glibc-2.11.1-4.x86_64 gmp-4.3.1-5.fc12.x86_64 libgcc-4.4.3-4.fc12.x86_64 libstdc++-4.4.3-4.fc12.x86_64
(gdb) backtrace
#0  0x00007ffff1a7742c in js_GetGCThingRuntime (thing=0xdadadada00000000) at ../jsgc.cpp:879
#1  0x00007ffff1b396b1 in js_GetStringBytes (cx=0x0, str=0xdadadada00000000) at ../jsstr.cpp:3939
#2  0x00007ffff1a241e0 in JS_GetStringBytes (str=0xdadadada00000000) at ../jsapi.cpp:5115
#3  0x00007ffff1e6da0d in Require (cx=0x1a76410, obj=0x7ffff1602000, argc=1, argv=0x1a84668, rval=0x7fffffffd070) at dehydra_builtins.c:154
#4  0x00007ffff1aae2e7 in js_Invoke (cx=0x1a76410, argc=1, vp=0x1a84658, flags=2) at ../jsinterp.cpp:823
#5  0x00007ffff1a9ab78 in js_Interpret (cx=0x1a76410) at ../jsops.cpp:2219
#6  0x00007ffff1aaef90 in js_Execute (cx=0x1a76410, chain=0x7ffff1602000, script=0x1a993c0, down=0x0, flags=0, result=0x7fffffffdb10) at ../jsinterp.cpp:1073
#7  0x00007ffff1a234f0 in JS_ExecuteScript (cx=0x1a76410, obj=0x7ffff1602000, script=0x1a993c0, rval=0x7fffffffdb10) at ../jsapi.cpp:4761
#8  0x00007ffff1e6e9f2 in dehydra_loadScript (this=0x7ffff20801c0, filename=0x1ab0810 "test_sys_gcc_info.js", namespace=0x7ffff1602000) at dehydra_builtins.c:437
#9  0x00007ffff1e6ec9e in Include (cx=0x1a76410, obj=0x7ffff1602000, argc=1, argv=0x7fffffffdc38, rval=0x7fffffffdc30) at dehydra_builtins.c:472
#10 0x00007ffff1e72081 in dehydra_includeScript (this=0x7ffff20801c0, script=0x1ab0a50 "test_sys_gcc_info.js") at dehydra.c:202
#11 0x00007ffff1e6d176 in gcc_plugin_init (file=0x7fffffffe2b0 "../gcc_dehydra.so", arg=0x1a265c0 "test_sys_gcc_info.js", pass=0x7fffffffdcd0, version_string=0x1948680 "4.5.0") at dehydra_plugin.c:280
#12 0x00007ffff1e6d52d in plugin_init (plugin_info=0x19fa430, version=0x19486a0) at dehydra_plugin.c:482
#13 0x0000000000b19a9f in try_init_one_plugin (plugin=0x19fa430) at ../../gcc-4.5.0/gcc/plugin.c:574
#14 0x0000000000b19af2 in init_one_plugin (slot=0x1a26518, info=0x0) at ../../gcc-4.5.0/gcc/plugin.c:596
#15 0x0000000001302fb0 in htab_traverse_noresize (htab=0x1a26490, callback=0xb19acb <init_one_plugin>, info=0x0) at ../../gcc-4.5.0/libiberty/hashtab.c:753
#16 0x0000000000b19b65 in initialize_plugins () at ../../gcc-4.5.0/gcc/plugin.c:621
#17 0x0000000000c13cd3 in toplev_main (argc=15, argv=0x7fffffffdef8) at ../../gcc-4.5.0/gcc/toplev.c:2517
#18 0x00000000007d0320 in main (argc=15, argv=0x7fffffffdef8) at ../../gcc-4.5.0/gcc/main.c:35

Comment 5

[Ehren Metcalfe]

Attachment: patch

It looks like we're dealing with a number of independent regressions. Changing JS_GetStringBytes to JS_GetStringBytesZ fixes the segfault in comment 4. I'll file a different bug for the !prev->isActive() assertion.

Comment 6

[Brendan Eich [:brendan]]

(In reply to comment #5)
> Created an attachment (id=449668) [details]
> patch
> 
> It looks like we're dealing with a number of independent regressions. Changing
> JS_GetStringBytes to JS_GetStringBytesZ fixes the segfault in comment 4.

That does not make sense. The bad address evident in comment 4's stack trace:

#2  0x00007ffff1a241e0 in JS_GetStringBytes (str=0xdadadada00000000) at
../jsapi.cpp:5115
#3  0x00007ffff1e6da0d in Require (cx=0x1a76410, obj=0x7ffff1602000, argc=1,
argv=0x1a84668, rval=0x7fffffffd070) at dehydra_builtins.c:154

is going to crash an JS API taking a JSString *str parameter. What's more, JS_GetStringBytesZ only differs from JS_GetStringBytes in not hiding out of memory failure by returning "" in case of OOM (JS_GetStringBytes does this only due to its age -- it lacks a cx parameter and was truly infallible ~14 years ago).

It seems you passed a bad pointer into the JS engine. That could be due to a failure to use the GC exact root set management API. Maybe that bug still exists?

> I'll file a different bug for the !prev->isActive() assertion.

Cc'ing some people you should cc on that bug.

/be

Comment 7

[Ehren Metcalfe]

Disregard comment 5... On Saturday I could've sworn that that segfault was introduced with rev. b15fd8b568e4. Not being able to reproduce it today I suspect something was insane with my build environment. 

As of filing bug 570561, the only outstanding issue is bug 570546.