666292 - "Assertion failure: pc_ >= script->code && pc_ < script->code + script->length," with trap

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

function f(){
  this.zzz.zzz;
  for(let d in []);
}
dis(f)
trap(f, 18, '')
f()

asserts js debug shell on TM changeset 0428dbdf3d58 with -m, -a and -d at Assertion failure: pc_ >= script->code && pc_ < script->code + script->length,

js> function f(){
  this.zzz.zzz;
  for(let d in []);
}
js> dis(f)
flags: NULL_CLOSURE
loc     op
-----   --
main:
00000:  this
00001:  getprop "zzz"
00004:  getprop "zzz"
00007:  pop
00008:  enterblock depth 0 {d: 0}
00011:  newarray 0
00015:  endinit
00016:  iter 1
00018:  goto 27 (+9)      <-- trap goes here
00021:  trace 0
00024:  forlocal 0
00027:  moreiter
00028:  ifne 21 (-7)
00031:  enditer
00032:  leaveblock 1
00037:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     0 [   0] newline 
  1:    2     1 [   1] pcbase   offset 1
  3:    2     4 [   3] pcbase   offset 4
  5:    2     8 [   4] newline 
  6:    3    18 [  10] xdelta  
  7:    3    18 [   0] if-else  else 9 elseif 10
 10:    3    21 [   3] while    offset 7
 12:    3    24 [   3] decl     offset 2

Exception table:
kind      stack    start      end
 iter         2       21       31

js> trap(f, 18, '')
js> f()
Assertion failure: pc_ >= script->code && pc_ < script->code + script->length,

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   70404:bb9e5496b0ac
user:        Luke Wagner
date:        Fri May 13 08:56:26 2011 -0700
summary:     Bug 656462, part 4 - Simplify stack code, keep track of native calls, create new iterator over native/scripted callstack, make JS_SaveFrameChain fallible (r=waldo,mrbkap)

Comment 3

[Luke Wagner [:luke]]

This is what I get for making strong assertions: AutoScriptUntrapper mutates script->code (to point to an untrapped set of bytecodes) and FrameRegsIter (called inside the decompiler) observes the script and tries to assert regs.pc is in range.  I would just do some hack, but it looks like pc is actually being used and compared to stuff (even before my changes)...

Comment 4

[Luke Wagner [:luke]]

Attachment: No FrameRegsIter For You!

This code is madness.

I'll just use pcQuadratic (this shouldn't be in a quadratic situation anyhow) which undoes (http://hg.mozilla.org/tracemonkey/diff/abd2dcd555f4/js/src/jsopcode.cpp).

Comment 5

[Luke Wagner [:luke]]

http://hg.mozilla.org/tracemonkey/rev/47c6a7fd1af5

Comment 6

[Chris Leary [:cdleary] (not checking bugmail)]

cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/47c6a7fd1af5

Comment 7

[Bob Clary [:bc] (inactive)]

Attachment: stack

1. http://www.autoteile-immler.com/THULE%2B973%2BBackPac%2BFahrradtr%25e4ger%2Binkl.%2BMontagekit%2B973-15/a5730277_u161/

2. Either stop or continue slow script dialog.

3. Assertion failure: pc_ >= script->code && pc_ < script->code + script->length, at /work/mozilla/builds/nightly/mozilla/js/src/vm/Stack.cpp:978

Note that in Automation today's Nightly fired Assertion failure: compartment mismatched on this.

new bug?

Comment 8

[Bob Clary [:bc] (inactive)]

oops, "Note that in Automation today's Nightly fired Assertion failure: compartment mismatched on this." should have read "Note that in Automation today's Nightly on Linux 64 bit fired Assertion failure: compartment mismatched on this."

Comment 9

[Bob Clary [:bc] (inactive)]

Windows is showing a stack overflow at the same url with moz_free | NS_Free_P nsMemory::Free(void*) XPCJSStackFrame::~XPCJSStackFrame() XPCJSStackFrame::`vector deleting destructor'(unsigned int) + 0xe XPCJSStackFrame::Release()

I filed Bug 667915

Comment 10

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug666292.js.