Javascript Assertion failure: !cx->throwing

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
13 years ago
12 years ago

People

(Reporter: dbaron, Unassigned)

Tracking

Trunk
x86
Linux
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
Assertion failure: !cx->throwing, at /builds/trunk/mozilla/js/src/jsinterp.c:2112

is caused by loading the URL http://club.cdfreaks.com/showthread.php?t=160109

This is not the only URL on which I've seen this exception today.  I also saw it in some hard-to-debug google ad script.

#0  JS_Assert (s=0x1afc56 "!cx->throwing", file=0x1afe50 "/builds/trunk/mozilla/js/src/jsinterp.c", ln=2112)
    at /builds/trunk/mozilla/js/src/jsutil.c:62
#1  0x00158d19 in js_Interpret (cx=0x8796f98, pc=0x8f6ebc9 "\005\uffff", result=0xbfeeb388) at /builds/trunk/mozilla/js/src/jsinterp.c:2112
#2  0x001611a9 in js_Invoke (cx=0x8796f98, argc=3, flags=2) at /builds/trunk/mozilla/js/src/jsinterp.c:1231
#3  0x00161495 in js_InternalInvoke (cx=0x8796f98, obj=0x858f420, fval=137445800, flags=2, argc=3, argv=0x8fc9aa4, rval=0xbfeeb600)
    at /builds/trunk/mozilla/js/src/jsinterp.c:1308
#4  0x00121cd4 in JS_CallFunctionValue (cx=0x8796f98, obj=0x858f420, fval=137445800, argc=3, argv=0x8fc9aa4, rval=0xbfeeb600)
    at /builds/trunk/mozilla/js/src/jsapi.c:4157
#5  0x020e6a64 in nsJSContext::CallEventHandler (this=0x87949b8, aTarget=0x858f420, aHandler=0x83141a8, argc=3, argv=0x8fc9aa4,
    rval=0xbfeeb600) at /builds/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp:1424
#6  0x02136206 in nsJSEventListener::HandleEvent (this=0x884eca0, aEvent=0x8ecd5b0)
    at /builds/trunk/mozilla/dom/src/events/nsJSEventListener.cpp:186
#7  0x01f91fc6 in nsEventListenerManager::HandleEventSubType (this=0x8ead530, aListenerStruct=0x8f66780, aListener=0x884eca0,
    aDOMEvent=0x8ecd5b0, aCurrentTarget=0x87948f0, aSubType=8, aPhaseFlags=7)
    at /builds/trunk/mozilla/content/events/src/nsEventListenerManager.cpp:1684
#8  0x01f9409b in nsEventListenerManager::HandleEvent (this=0x8ead530, aPresContext=0x8f3e7c8, aEvent=0xbfeebbdc, aDOMEvent=0xbfeeb8d8,
    aCurrentTarget=0x87948f0, aFlags=7, aEventStatus=0xbfeebc3c)
    at /builds/trunk/mozilla/content/events/src/nsEventListenerManager.cpp:1788
#9  0x020f52de in nsGlobalWindow::HandleDOMEvent (this=0x8f62720, aPresContext=0x8f3e7c8, aEvent=0xbfeebbdc, aDOMEvent=0xbfeeb8d8,
    aFlags=7, aEventStatus=0xbfeebc3c) at /builds/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp:1547
#10 0x020f5169 in nsGlobalWindow::HandleDOMEvent (this=0x87948b8, aPresContext=0x8f3e7c8, aEvent=0xbfeebbdc, aDOMEvent=0x0, aFlags=1,
    aEventStatus=0xbfeebc3c) at /builds/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp:1438
#11 0x020e8407 in NS_ScriptErrorReporter (cx=0x8796f98, message=0x8e8e0c0 "TypeError: wo.pw has no properties", report=0x8a6f300)
    at /builds/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp:221
#12 0x0012bed4 in js_ReportErrorAgain (cx=0x8796f98, message=0x8f01350 "TypeError: wo.pw has no properties", reportp=0x8a6f300)
    at /builds/trunk/mozilla/js/src/jscntxt.c:1056
#13 0x00144ddb in js_ReportUncaughtException (cx=0x8796f98) at /builds/trunk/mozilla/js/src/jsexn.c:1154
#14 0x00121a43 in JS_EvaluateUCScriptForPrincipals (cx=0x8796f98, obj=0x858f420, principals=0x8f6393c, chars=0x8fab110, length=7,
    filename=0x8f09e40 "http://media.fastclick.net/w/pop.cgi?sid=7401&m=2&v=1.8&c=13", lineno=3, rval=0xbfeebdb4)
    at /builds/trunk/mozilla/js/src/jsapi.c:4103
#15 0x020e6f0c in nsJSContext::EvaluateString (this=0x87949b8, aScript=@0xbfeebea8, aScopeObject=0x858f420, aPrincipal=0x8f63938,
    aURL=0x8f09e40 "http://media.fastclick.net/w/pop.cgi?sid=7401&m=2&v=1.8&c=13", aLineNo=3, aVersion=0x1b1c86 "default",
    aRetValue=0x0, aIsUndefined=0xbfeebebc) at /builds/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp:1074
#16 0x02101e69 in nsGlobalWindow::RunTimeout (this=0x8f62720, aTimeout=0x8f637f8)
    at /builds/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp:6234
#17 0x021021b3 in nsGlobalWindow::TimerCallback (aTimer=0x8a43448, aClosure=0x8f637f8)
    at /builds/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp:6602
In the google ad case, it looked over IRC as though some native to do with top or location failed with NS_ERROR_UNEXPECTED, but after the XPConnect exception for that result was set as pending, something failed to return false or null, to indicate a throw in progress.  How to find that bad NS_ERROR_UNEXPECTED?

/be

Comment 2

13 years ago
(In reply to comment #1)

see the testcase in bug 314401 comment 20 for another way to reproduce.
Bob, I see this assertion botch when running the testsuite from the command line, for at least this test (one other core, haven't analyzed it yet -- please confirm when you can):

js1_5/Regress/regress-234389-n.js

The JSOP_RETURN is the last opcode in the function at line 47 of that file:

  toString: function() {
    if (this.re.test(this)) {
      return "";
    }
    return this.value;
  },

The exception is an Error object reporting "too much recursion".  cx->interpLevel is 999 at the 'return this.value' statement (inlineCallCount is 0).  The stack is of course very deep, but it starts like this:

#0  JS_Assert (s=0x80f8c39 "!cx->throwing", file=0x80f82f4 "jsinterp.c",
    ln=2109) at jsutil.c:62
#1  0x0808717b in js_Interpret (cx=0x8ec29a0,
    pc=0x8ee414f "\005ða\001c\004e\t\v\uffff\uffff3a\001", result=0xbf7e70dc)
    at jsinterp.c:2109
#2  0x0808555d in js_Invoke (cx=0x8ec29a0, argc=0, flags=2) at jsinterp.c:1231
#3  0x080858ef in js_InternalInvoke (cx=0x8ec29a0, obj=0x8ec4fc0,
    fval=149703824, flags=0, argc=0, argv=0x0, rval=0xbf7e72b4)
    at jsinterp.c:1308
#4  0x080a9491 in js_TryMethod (cx=0x8ec29a0, obj=0x8ec4fc0, atom=0x8ec69a8,
    argc=0, argv=0x0, rval=0xbf7e72b4) at jsobj.c:4040
#5  0x080a7a42 in js_DefaultValue (cx=0x8ec29a0, obj=0x8ec4fc0,
    hint=JSTYPE_STRING, vp=0xbf7e72f4) at jsobj.c:3354
#6  0x080d6df0 in js_ValueToString (cx=0x8ec29a0, v=149704640) at jsstr.c:2764
#7  0x080c5fff in regexp_exec_sub (cx=0x8ec29a0, obj=0x8ec4cb0, argc=1,
    argv=0x8ef547c, test=1, rval=0xbf7e7460) at jsregexp.c:4003
#8  0x080c61cf in regexp_test (cx=0x8ec29a0, obj=0x8ec4cb0, argc=1,
    argv=0x8ef547c, rval=0xbf7e7460) at jsregexp.c:4033
#9  0x080854e5 in js_Invoke (cx=0x8ec29a0, argc=1, flags=0) at jsinterp.c:1211
#10 0x08093522 in js_Interpret (cx=0x8ec29a0, pc=0x8ee4141 ":",
    result=0xbf7e7a9c) at jsinterp.c:3756

By inspection, regexp_exec_sub has a bug: it fails to set ok = JS_FALSE after js_ValueToString failure.  Patch in a few minutes.

Shaver: I suspect this is not the last such bad path, in SpiderMonkey or in the rest of Firefox.  Maybe we should use #if defined DEBUG_shaver || defined DEBUG_brendan || defined DEBUG_mrbkap || defined DEBUG_timeless around the recently added assertion?

/be
Created attachment 206875 [details] [diff] [review]
fix

This bug may collect other such fixes.  If anyone would rather it be a metabug blocked by separate bugs awaiting fixes such as this, that's ok with me, but I'm a lazy bastard.

/be
Attachment #206875 - Flags: review?(mrbkap)

Comment 5

13 years ago
(In reply to comment #3)

without the patch in this bug js1_5/Regress/regress-234389-n.js and js1_5/Regress/regress-314401.js do not kick off the msvc debugger on windows for me when run in the shell but both hit the assertion when run in the browser. I'll try with the patch next.

Comment 6

13 years ago
(In reply to comment #4)
I applied this patch and did a make clean && make in obj-dbg/js and still see the assertion when running in the browser.

Updated

13 years ago
Attachment #206875 - Flags: review?(mrbkap) → review+
(In reply to comment #6)
> (In reply to comment #4)
> I applied this patch and did a make clean && make in obj-dbg/js and still see
> the assertion when running in the browser.

Bob, can you poke around and show the value of *fp from which the JSOP_RETURN (or possibly JSOP_RETRVAL) is coming when the assertion botches?  You'll need to go up to the js_Interpret frame nearest the top of stack (the one that calls JS_Assert). That *fp should have a non-null fun member.  Casting

*(JSString*)((long)fp->fun->atom->entry.key - 4)

should show you the name of the function, if fp->fun->atom is non-null.

Also, *fp->down->script will show the filename and starting lineno of the caller (not the line of the call).

I just checked in attachment 206875 [details] [diff] [review].  So that particular bug, which produced the symptom this bug reports, is fixed.  Time for separate blocking bugs depending on this one?

/be
Summary: Javscript Assertion failure: !cx->throwing → Javascript Assertion failure: !cx->throwing

Comment 8

13 years ago
(In reply to comment #7)

using js1_5/Regress/regress-234389-n.js

-	*fp	{...}
+	callobj	0x00000000
+	argsobj	0x00000000
+	varobj	0x00000000
+	script	0x03f76fb0
+	fun	0x04130720
+	thisp	0x0339c7d8
	argc	0x00000000
+	argv	0x042530ec
	rval	0x80000001
	nvars	0x00000000
+	vars	0x0425315c
+	down	0x04253058
	annotation	0x00000000
+	scopeChain	0x0339c7d8
+	pc	0x03f76fec "ð°fe"
+	sp	0x0425316c
+	spbase	0x04253168
	sharpDepth	0x00000000
+	sharpArray	0x00000000
	flags	0x00000000
+	dormantNext	0x00000000
+	xmlNamespace	0x00000000

-	*(JSString*)((long)fp->fun->atom->entry.key - 4)	{...}
	length	0x0000000b
+	chars	0x04247270 "currentFunc"

-	*fp->down->script	{...}
+	code	0x03633840 "T"
	length	0x0000006d
+	main	0x03633840 "T"
	version	0x0000
	numGlobalVars	0x0000
+	atomMap	{...}
+	filename	0x0425cbb1 "http://test.mozilla.com/tests/mozilla.org/js/js1_5/shell.js"
	lineno	0x00000056
	depth	0x00000005
+	trynotes	0x00000000
+	principals	0x033f4064
+	object	0x00000000

looking at shell.js, line 0x56 (decimal 86)

/*
 * Report a failure in the 'accepted' manner
 */
function reportFailure (msg)
line 86->{
    var lines = msg.split ("\n");
    var l;
    var funcName = currentFunc();
    var prefix = (funcName) ? "[reported from " + funcName + "] ": "";


Created attachment 206897 [details] [diff] [review]
macro-ize useful yet troublesome assertion

I am checking this in now.  Bob, timeless, anyone: feel free to add your DEBUG_<user> tests to the #if.

/be

Updated

13 years ago
Depends on: 321592

Comment 10

13 years ago
in the browser:

js1_5/Regress/regress-234389-n.js

Top of the stack:

js_Interpret(JSContext * 0x03c78558, unsigned char * 0x03f55254, long * 0x0012eeac) line 2134 + 37 bytes
js_Invoke(JSContext * 0x03c78558, unsigned int 0x00000003, unsigned int 0x00000002) line 1253 + 19 bytes
js_InternalInvoke(JSContext * 0x03c78558, JSObject * 0x03478180, long 0x03e25710, unsigned int 0x00000000, unsigned int 0x00000003, long * 0x03f68054, long * 0x0012f0a4) line 1330 + 20 bytes
JS_CallFunctionValue(JSContext * 0x03c78558, JSObject * 0x03478180, long 0x03e25710, unsigned int 0x00000003, long * 0x03f68054, long * 0x0012f0a4) line 4157 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x03478180, JSObject * 0x03e25710, unsigned int 0x00000003, long * 0x03f68054, long * 0x0012f0a4) line 1424 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03f6d1f0, nsIDOMEvent * 0x03f7ddb8) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03f6d880, nsIDOMEventListener * 0x03f6d1f0, nsIDOMEvent * 0x03f7ddb8, nsIDOMEventTarget * 0x03c9ed90, unsigned int 0x00000008, unsigned int 0x00000007) line 1684 + 16 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03f6d198, nsPresContext * 0x03ced488, nsEvent * 0x0012f4d4, nsIDOMEvent * * 0x0012f388, nsIDOMEventTarget * 0x03c9ed90, unsigned int 0x00000007, nsEventStatus * 0x0012f6a0) line 1791
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03ced488, nsEvent * 0x0012f4d4, nsIDOMEvent * * 0x0012f388, unsigned int 0x00000007, nsEventStatus * 0x0012f6a0) line 1548
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03ced488, nsEvent * 0x0012f4d4, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012f6a0) line 1440 + 94 bytes
NS_ScriptErrorReporter(JSContext * 0x03c78558, const char * 0x03f7dc88, JSErrorReport * 0x03f80fb0) line 224
js_ReportErrorAgain(JSContext * 0x03c78558, const char * 0x03f7dbe8, JSErrorReport * 0x03f80fb0) line 1056 + 21 bytes
js_ReportUncaughtException(JSContext * 0x03c78558) line 1154 + 17 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03c78558, JSObject * 0x03478180, JSPrincipals * 0x03421c7c, const unsigned short * 0x03f58030, unsigned int 0x0000090b, const char * 0x03f558d8, unsigned int 0x00000001, long * 0x0012f7e0) line 4103 + 37 bytes
nsJSContext::EvaluateString(const nsAString_internal & {...}, void * 0x03478180, nsIPrincipal * 0x03421c78, const char * 0x03f558d8, unsigned int 0x00000001, const char * 0x004ff844 _js_default_str, nsAString_internal * 0x00000000, int * 0x0012f844) line 1074 + 67 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03f557b0, const nsString & {...}) line 755
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03f557b0) line 653 + 22 bytes
nsScriptLoader::OnStreamComplete(nsScriptLoader * const 0x03502834, nsIStreamLoader * 0x03f64250, nsISupports * 0x03f557b0, unsigned int 0x00000000, unsigned int 0x0000090b, const unsigned char * 0x03f6dbd8) line 1018
nsStreamLoader::OnStopRequest(nsStreamLoader * const 0x03f64254, nsIRequest * 0x03f56800, nsISupports * 0x03f557b0, unsigned int 0x00000000) line 120
nsStreamListenerTee::OnStopRequest(nsStreamListenerTee * const 0x03f647a8, nsIRequest * 0x03f56800, nsISupports * 0x03f557b0, unsigned int 0x00000000) line 66
nsHttpChannel::OnStopRequest(nsHttpChannel * const 0x03f56808, nsIRequest * 0x03f64d60, nsISupports * 0x00000000, unsigned int 0x00000000) line 4094
nsInputStreamPump::OnStateStop() line 507
nsInputStreamPump::OnInputStreamReady(nsInputStreamPump * const 0x03f64d64, nsIAsyncInputStream * 0x03f64af0) line 343 + 11 bytes
nsInputStreamReadyEvent::EventHandler(PLEvent * 0x03f64dec) line 121
PL_HandleEvent(PLEvent * 0x03f64dec) line 688 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x010a7628) line 623 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x004303da, unsigned int 0x0000c149, unsigned int 0x00000000, long 0x010a7628) line 1408 + 9 bytes

-	*(JSExnPrivate*)(((JSObject*)cx->exception)->slots[3]-1)	{...}
-	errorReport	0x03f80fb0
+	filename	0x03fa2158 "http://test.mozilla.com/tests/mozilla.org/js/js1_5/Regress/regress-234389-n.js"
	lineno	0x00000030
+	linebuf	0x00000000 ""
+	tokenptr	0x00000000 ""
+	uclinebuf	0x00000000 ""
+	uctokenptr	0x00000000 ""
	flags	0x00000002
	errorNumber	0x0000001a
+	ucmessage	0x03fa21e0 "too much recursion"
+	messageArgs	0x00000000

which is the |if (this.re.test(this)) {| line again.

	cx->interpLevel	0x00000001
	inlineCallCount	0x00000002

js1_5/Regress/regress-314401.js

Top of the stack:

js_Interpret(JSContext * 0x033cb6a8, unsigned char * 0x03696164, long * 0x0012f244) line 2134 + 37 bytes
js_Invoke(JSContext * 0x033cb6a8, unsigned int 0x00000003, unsigned int 0x00000002) line 1253 + 19 bytes
js_InternalInvoke(JSContext * 0x033cb6a8, JSObject * 0x02d5fd48, long 0x02d909f0, unsigned int 0x00000000, unsigned int 0x00000003, long * 0x036aff0c, long * 0x0012f43c) line 1330 + 20 bytes
JS_CallFunctionValue(JSContext * 0x033cb6a8, JSObject * 0x02d5fd48, long 0x02d909f0, unsigned int 0x00000003, long * 0x036aff0c, long * 0x0012f43c) line 4157 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x02d5fd48, JSObject * 0x02d909f0, unsigned int 0x00000003, long * 0x036aff0c, long * 0x0012f43c) line 1424 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x0369b6a8, nsIDOMEvent * 0x036a2df0) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03699348, nsIDOMEventListener * 0x0369b6a8, nsIDOMEvent * 0x036a2df0, nsIDOMEventTarget * 0x033cb468, unsigned int 0x00000008, unsigned int 0x00000007) line 1684 + 16 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x0369b650, nsPresContext * 0x03527170, nsEvent * 0x0012f86c, nsIDOMEvent * * 0x0012f720, nsIDOMEventTarget * 0x033cb468, unsigned int 0x00000007, nsEventStatus * 0x0012fa38) line 1791
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03527170, nsEvent * 0x0012f86c, nsIDOMEvent * * 0x0012f720, unsigned int 0x00000007, nsEventStatus * 0x0012fa38) line 1548
nsGlobalWindow::HandleDOMEvent(nsPresContext * 0x03527170, nsEvent * 0x0012f86c, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012fa38) line 1440 + 94 bytes
NS_ScriptErrorReporter(JSContext * 0x033cb6a8, const char * 0x036a3390, JSErrorReport * 0x03688e68) line 224
js_ReportErrorAgain(JSContext * 0x033cb6a8, const char * 0x036a32f8, JSErrorReport * 0x03688e68) line 1056 + 21 bytes
js_ReportUncaughtException(JSContext * 0x033cb6a8) line 1154 + 17 bytes
JS_CallFunctionValue(JSContext * 0x033cb6a8, JSObject * 0x02d5fd48, long 0x02d5fe08, unsigned int 0x00000003, long * 0x036b2748, long * 0x0012fb90) line 4158 + 37 bytes
nsJSContext::CallEventHandler(JSObject * 0x02d5fd48, JSObject * 0x02d5fe08, unsigned int 0x00000003, long * 0x036b2748, long * 0x0012fb90) line 1424 + 33 bytes
nsGlobalWindow::RunTimeout(nsTimeout * 0x036b26d0) line 6247

-	*(JSString*)((long)fp->fun->atom->entry.key - 4)	{...}
	length	0x0000000b
+	chars	0x03691c78 "currentFunc"

-	*fp->down->script	{...}
+	code	0x03683cc0 "T"
	length	0x0000006d
+	main	0x03683cc0 "T"
	version	0x0000
	numGlobalVars	0x0000
+	atomMap	{...}
+	filename	0x0367b9d9 "http://test.mozilla.com/tests/mozilla.org/js/js1_5/shell.js"
	lineno	0x00000056
	depth	0x00000005
+	trynotes	0x00000000
+	principals	0x01da86a4
+	object	0x00000000

-	*(JSExnPrivate*)(((JSObject*)cx->exception)->slots[3]-1)	{...}
-	errorReport	0x03688e68
+	filename	0x00000000 ""
	lineno	0x00000000
+	linebuf	0x00000000 ""
+	tokenptr	0x00000000 ""
+	uclinebuf	0x00000000 ""
+	uctokenptr	0x00000000 ""
	flags	0x00000002
	errorNumber	0x00000092
+	ucmessage	0x03688ec0 "function eval must be called directly, and not by way of a function of another name"
+	messageArgs	0x03688f98
(Reporter)

Comment 11

12 years ago
This was fixed a while ago, no?

Comment 12

12 years ago
(In reply to comment #11)
> This was fixed a while ago, no?
> 

as far as I can tell it was just hidden from everyone but brendan, blake and shaver.
I'm calling this bug fixed (in fact, we could probably get away with enabling the assertion for everybody again).
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

12 years ago
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.