Closed Bug 1187123 Opened 9 years ago Closed 9 years ago

Assertion failure: (l.asBits >> 47) <= JSVAL_TAG_OBJECT, at dist/include/js/Value.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox42 --- affected

People

(Reporter: gkw, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

stack
28.44 KB, text/plain
Details 
try {
    x = evalcx("lazy");
    for (var p in p1) {}
} catch (e) {}
try {
    x.e
} catch (e) {}
try {
    new n({})
} catch (e) {}
try {
    x.eval("t()")
} catch (e) {}

asserts js debug shell on m-c changeset eee2d49d055c with --fuzzing-safe --gc-zeal=14 --no-threads --baseline-eager at Assertion failure: (l.asBits >> 47) <= JSVAL_TAG_OBJECT, at dist/include/js/Value.h

Configure options:

AR=ar sh /home/gkwong/trees/mozilla-central/js/src/configure --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r eee2d49d055c

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fa9fe193778f
user:        Tom Tromey
date:        Fri Jul 17 07:48:00 2015 -0400
summary:     Bug 1148593 - Create async stack in callback objects. r=bz, r=fitzgen

This was tested to occur on Ubuntu 12.04.5 LTS.

Boris/Nick, is bug 1148593 a likely regressor, or did it merely expose the bug?
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(bzbarsky)
Attached file stack 
(gdb) bt 5
warning: (Internal error: pc 0x6179c7 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x6179c7 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x6179c7 in read in psymtab, but not in symtab.)

#0  0x00000000006179c7 in _ZN2js18DispatchValueTypedI16DoMarkingFunctorIN2JS5ValueEEJRPNS_8GCMarkerEEEEDTclfp_scP8JSObjectLDn0Espcl7ForwardIT0_Efp1_EEET_RKS3_DpOSA_ () at ../../dist/include/js/Value.h:804
warning: (Internal error: pc 0x61a3b3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x61a370 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x61a3b3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x61a3b4 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x61a3b3 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x61a3b3 in read in psymtab, but not in symtab.)

#1  0x000000000061a3b4 in void DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) ()
    at /home/gkwong/trees/mozilla-central/js/src/gc/Marking.cpp:674
warning: (Internal error: pc 0x843551 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x843200 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x843551 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x843552 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x843551 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x843551 in read in psymtab, but not in symtab.)

#2  0x0000000000843552 in js::jit::BaselineFrame::trace(JSTracer*, js::jit::JitFrameIterator&) ()
    at /home/gkwong/trees/mozilla-central/js/src/jit/BaselineFrame.cpp:53
warning: (Internal error: pc 0x92ec42 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x92e7a0 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x92ec42 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x92ec43 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x92ec42 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x92ec42 in read in psymtab, but not in symtab.)

#3  0x000000000092ec43 in js::jit::MarkJitActivations(JSRuntime*, JSTracer*) ()
    at /home/gkwong/trees/mozilla-central/js/src/jit/JitFrames.cpp:1541
warning: (Internal error: pc 0x7fc12f in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7fbb90 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7fc12f in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7fc130 in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7fc12f in read in psymtab, but not in symtab.)

warning: (Internal error: pc 0x7fc12f in read in psymtab, but not in symtab.)

#4  0x00000000007fc130 in js::gc::GCRuntime::markRuntime(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime, js::gc::GCRuntime::TraceRootsOrUsedSaved) () at /home/gkwong/trees/mozilla-central/js/src/gc/RootMarking.cpp:424
(More stack frames follow...)
warning: (Internal error: pc 0x6179c7 in read in psymtab, but not in symtab.)

(gdb)
It doesn't seem like a very likely regressor to me... Although I guess the testcase does create error objects, which capture stacks, which that bug touches a little... Seems like a little bit of a stretch though.

ni? tromey to come properly figure out if this is caused or exposed here.
Flags: needinfo?(nfitzgerald) → needinfo?(ttromey)
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/8d2d0a61f5df
user:        Terrence Cole
date:        Thu Jul 09 08:45:42 2015 -0700
summary:     Bug 1181292 - Make JSPropertyDescriptor a StaticTraceable; r=efaust

I've had other bisection results leading to bug 1181292.

Maybe Terrence also might know what's going on?
Flags: needinfo?(terrence)
Given the stack, my money is on GC changes here, so terrence.
Flags: needinfo?(bzbarsky)
(In reply to Nick Fitzgerald [:fitzgen][:nf] from comment #2)
> It doesn't seem like a very likely regressor to me... Although I guess the
> testcase does create error objects, which capture stacks, which that bug
> touches a little... Seems like a little bit of a stretch though.
> 
> ni? tromey to come properly figure out if this is caused or exposed here.

The patch in question was backed out for other reasons and hasn't gone back in yet.
So if the bug is visible with any head revision, then it can't be due to that patch.
Flags: needinfo?(ttromey)
No longer blocks: 1148593
A busted Value coming out of BaselineFrame::trace. Eric, were you able to reproduce this?
Flags: needinfo?(terrence) → needinfo?(efaustbmo)
This is an automated crash issue comment:

Summary: Assertion failure: (l.asBits >> 47) <= JSVAL_TAG_OBJECT, at ../../dist/include/js/Value.h:804
Build version: mozilla-central-patch revision 80441b5a95c1
Build flags: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug
Runtime options: --no-threads --baseline-eager min.js

Testcase:

var g = newGlobal();
var N = 4;
for (var i = 0; i < N; i++) {
    var dbg = Debugger(g);
    dbg.onDebuggerStatement = function (frame) {};
    g.eval('debugger;');
    gc();
}


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000061b458 in JSVAL_IS_OBJECT_IMPL (l=...) at ../../dist/include/js/Value.h:804
#0  0x000000000061b458 in JSVAL_IS_OBJECT_IMPL (l=...) at ../../dist/include/js/Value.h:804
#1  isObject (this=0x7fffffffc0c8) at ../../dist/include/js/Value.h:1142
#2  js::TenuringTracer::traverse<JS::Value> (this=<optimized out>, valp=0x7fffffffc0c8) at js/src/gc/Marking.cpp:1874
#3  0x00000000006533b5 in DispatchToTracer<JS::Value> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>) at js/src/gc/Marking.cpp:595
#4  0x000000000086e3b2 in js::jit::BaselineFrame::trace (this=0x7fffffffc058, trc=trc@entry=0x7fffffffa990, frameIterator=...) at js/src/jit/BaselineFrame.cpp:53
#5  0x0000000000952a63 in MarkJitActivation (activations=..., trc=<optimized out>) at js/src/jit/JitFrames.cpp:1541
#6  js::jit::MarkJitActivations (rt=<optimized out>, trc=trc@entry=0x7fffffffa990) at js/src/jit/JitFrames.cpp:1576
#7  0x0000000000829350 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7ffff6937348, trc=trc@entry=0x7fffffffa990, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, rootsSource=rootsSource@entry=js::gc::GCRuntime::TraceRoots) at js/src/gc/RootMarking.cpp:430
#8  0x0000000000845054 in js::Nursery::collect (this=this@entry=0x7ffff69373a0, rt=0x7ffff6937000, reason=reason@entry=JS::gcreason::EVICT_NURSERY, pretenureGroups=pretenureGroups@entry=0x0) at js/src/gc/Nursery.cpp:453
#9  0x0000000000b2fdf5 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff6937348, reason=reason@entry=JS::gcreason::EVICT_NURSERY, pretenureGroups=pretenureGroups@entry=0x0) at js/src/jsgc.cpp:6443
#10 0x0000000000638dd8 in js::gc::GCRuntime::evictNursery (this=0x7ffff6937348, reason=JS::gcreason::EVICT_NURSERY) at js/src/gc/GCRuntime.h:610
#11 0x00000000008f2746 in js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=cx@entry=0x7ffff6906800, obs=..., observing=observing@entry=js::Debugger::Observing) at js/src/jit/BaselineDebugModeOSR.cpp:860
#12 0x0000000000672316 in js::Debugger::updateExecutionObservabilityOfFrames (cx=cx@entry=0x7ffff6906800, obs=..., observing=js::Debugger::Observing) at js/src/vm/Debugger.cpp:1993
#13 0x0000000000672524 in js::Debugger::ensureExecutionObservabilityOfFrame (cx=cx@entry=0x7ffff6906800, frame=...) at js/src/vm/Debugger.cpp:2170
#14 0x000000000069595a in js::Debugger::getScriptFrameWithIter (this=this@entry=0x7ffff6969000, cx=cx@entry=0x7ffff6906800, frame=..., maybeIter=maybeIter@entry=0x7fffffffb950, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:480
#15 0x00000000006bdf4b in getScriptFrame (vp=..., iter=..., cx=0x7ffff6906800, this=0x7ffff6969000) at js/src/vm/Debugger.h:861
#16 js::Debugger::fireDebuggerStatement (this=this@entry=0x7ffff6969000, cx=cx@entry=0x7ffff6906800, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1185
#17 0x00000000006be403 in operator() (dbg=0x7ffff6969000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:697
#18 dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda2, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda3> (fireHook=..., cx=0x7ffff6906800, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1392
#19 js::Debugger::slowPathOnDebuggerStatement (cx=cx@entry=0x7ffff6906800, frame=...) at js/src/vm/Debugger.cpp:698
#20 0x0000000000a77014 in onDebuggerStatement (frame=..., cx=0x7ffff6906800) at js/src/vm/Debugger-inl.h:50
#21 js::jit::OnDebuggerStatement (cx=0x7ffff6906800, frame=0x7fffffffc058, pc=<optimized out>, mustReturn=0x7fffffffc01c) at js/src/jit/VMFunctions.cpp:936
#22 0x00007ffff7e567ef in ?? ()
[...]
#38 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffc0c8	140737488339144
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa3e0	140737488331744
rsp	0x7fffffffa3c0	140737488331712
r8	0x7ffff7fe8780	140737354041216
r9	0x4156534a203d3c20	4708042038296001568
r10	0x7fffffffa180	140737488331136
r11	0x7ffff6c27ee0	140737333329632
r12	0x1b42540	28583232
r13	0x7fffffffa540	140737488332096
r14	0x7fffffffa510	140737488332048
r15	0x7fffffffa990	140737488333200
rip	0x61b458 <js::TenuringTracer::traverse<JS::Value>(JS::Value*)+136>
=> 0x61b458 <js::TenuringTracer::traverse<JS::Value>(JS::Value*)+136>:	movl   $0x324,0x0
   0x61b463 <js::TenuringTracer::traverse<JS::Value>(JS::Value*)+147>:	callq  0x4993c0 <abort()>
:decoder and I agree that we can no longer reproduce the testcases here, so resolving WFM. We can file new bugs as they appear in the future.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(efaustbmo)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: