323153 - Assertion failure: vp + 1 < end in DeutschSchorrWaite

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

Found this in 1.8.0.1 and 1.8.1 builds on Linux Debug only on 2006-01-11.

Assertion failure: vp + 1 < end, at mozilla/js/src/jsgc.c:1428

The symptom appeared in the automated browser based JS tests as a time out on the test. Looking at the log, it was actually this assert. This has not appeared before. The last test run where I did not see this was 2006-01-06 or so. 

I am not sure this is really a regression from 1.5 since it crashed in Firefox 1.5 20051111 release on Linux. It does not crash with Firefox 1.5.0.1 on Linux. Is this something that is a result of recent checkins on the branches?

TB13865366 with Firefox 1.5 20051111 release

DeutschSchorrWaite()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1401]
MarkGCThing()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1274]
gc_root_marker()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1485]
JS_DHashTableEnumerate()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsdhash.c, line 621]
js_GC()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 1702]
js_NewGCThing()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsgc.c, line 634]
js_NewString()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsstr.c, line 2523]
JS_NewStringCopyZ()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsapi.c, line 4265]
js_QuoteString()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsopcode.c, line 455]
js_ValueToSource()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsstr.c, line 2783]
InitExceptionObject()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsexn.c, line 448]
js_ErrorToException()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsexn.c, line 1037]
ReportCompileErrorNumber()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsscan.c, line 698]
js_ReportCompileErrorNumber()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsscan.c, line 754]
Statement()  [/builds/tinderbox/Fx-Mozilla1.8/Linux_2.4.21-27.0.4.ELsmp_Depend/mozilla/js/src/jsparse.c, line 1275]
repeated Statement()...

Comment 1

[Bob Clary [:bc] (inactive)]

setting blocking 1.8.0.1 and 1.8.1 flags to get this on the radar.

Comment 2

[Brendan Eich [:brendan]]

I don't see how this is a regression since 1.5.

/be

Comment 3

[Brendan Eich [:brendan]]

Is bug 323252 a dup?

/be

Comment 4

[Daniel Veditz [:dveditz]]

No fix in sight, no clarity on whether this is or isn't a regression: pushing into the 1.8.0.2 pile to decide on because this missed the 1.8.0.1 train 

Comment 5

[Daniel Veditz [:dveditz]]

ditto for 1.8.0.2

Comment 6

[Mike Schroepfer]

Given previous comments taking this off the 1.8.1 list...

Comment 7

[Bob Clary [:bc] (inactive)]

works for me in 1.8.0, 1.8.1, 1.9 20061109 windows/linux/mac*

Comment 8

[Igor Bukanov]

Note that this must be resolved-fixed on the trunk and 1.8.1 branch as the changes from bug 324278 removed DeutschSchorrWaite code completely. On the other hand the code is on 1.8.0 branch and if it no longer crashes, then it means that something fixed it. Perhaps 1.8.0-only patch for bug 324117 did it, perhaps other GC hazards fixes. But this is not something I am going to spend time on. 

Comment 9

[Bob Clary [:bc] (inactive)]

fixed by bug 324278

Comment 10

[Bob Clary [:bc] (inactive)]

verified fixed 20061122 1.9 windows/linux