Closed Bug 633752 Opened 13 years ago Closed 13 years ago

TM: Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: jandem, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:low][fixed-in-tracemonkey])

Attachments

(2 files)

Stack trace
2.66 KB, text/plain
Details
fix
2.08 KB, patch
cdleary
: review+
dmandelin
: approval2.0+
Details | Diff | Splinter Review 
---
function f(o) {
    var p = "arguments";
    for(var i=0; i<10; i++) {
        f[p];
    }
}
f({});
f({});
f({});
f({});
---
This asserts with -j -m -a:

Assertion failure: (frameobj == NULL) == (*mTypeMap == JSVAL_TYPE_NULL), at ../jstracer.cpp:3174

The patch in bug 632901 does not fix this; does not assert without -m.
Attached file Stack trace 

    
    

    
  
Also asserts with -j -m at revision bf89669b34cb, before bug 631951 landed. So this is not a regression from bug 631951.

    
    

    
  
The first bad revision is:
changeset:   55725:339457364540
user:        Bill McCloskey <wmccloskey@mozilla.com>
date:        Thu Oct 21 09:36:39 2010 -0700
summary:     Bug 580468 - Use loop profiling to decide whether to use TM or JM (second try) (r=dmandelin)

This may be a red herring though.

    
    

    
  
FWIW:

(gdb) p frameobj
$1 = (JSObject *) 0x0
(gdb) p *mTypeMap
$2 = JSVAL_TYPE_NONFUNOBJ

    
  
Keywords: regression

    
    

    
  
(In reply to comment #3)
> The first bad revision is:
> changeset:   55725:339457364540
> user:        Bill McCloskey <wmccloskey@mozilla.com>
> date:        Thu Oct 21 09:36:39 2010 -0700
> summary:     Bug 580468 - Use loop profiling to decide whether to use TM or JM
> (second try) (r=dmandelin)
> 
> This may be a red herring though.

Yeah, sounds like that changed exposed a latent bug.

    
    

    
  
OK, this *does* assert without -m (see bug 633929)

    
    

    
  
I thought NULL was a legal value for JSVAL_TYPE_NONFUNOBJ? -ing on that assumption (meaning incorrect assertion).
blocking2.0: ? → -

    
    

    
  
It's not, but it shouldn't block anyway. Looks like Another Arguments Bug, should be easy to fix.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
We're missing a deep bail by caching the result of a non-default getter. Low-risk patch.
Assignee: general → dvander
Status: NEW → ASSIGNED

        Attachment #512221 -
        Flags: review?(cdleary)

        Attachment #512221 -
        Flags: approval2.0?

        Attachment #512221 -
        Flags: review?(cdleary) → review+

        Attachment #512221 -
        Flags: approval2.0? → approval2.0+
Whiteboard: sg:low

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/34c05b9c0079
Whiteboard: sg:low → [sg:low][fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: