JS_ASSERT about charSet when running with WAY_TOO_MUCH_GC

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: dbaron, Assigned: dbaron)

Tracking

({verified1.8.0.4, verified1.8.1})

Trunk
x86
Linux
verified1.8.0.4, verified1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.4 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Assignee)

Description

12 years ago
I'm seeing a failed JS_ASSERT:
Assertion failure: charSet->u.src.startIndex < JSSTRING_LENGTH(gData->regexp->source), at jsregexp.c:2243
when running the testcase ecma/ObjectObjects/15.2.4.2.js with WAY_TOO_MUCH_GC.  The stack is:

#2  0x00002b25bcb1327a in JS_Assert (s=Variable "s" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsutil.c:62
#3  0x00002b25bcafd357 in ProcessCharSet (gData=0x7fffffce88e0, charSet=0x619e70)
    at /home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:2242
#4  0x00002b25bcafd90e in InitMatch (cx=Variable "cx" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:3227
#5  0x00002b25bcafeee5 in js_ExecuteRegExp (cx=0x599840, re=0x619df0, str=0x59d140, indexp=0x7fffffce8a00, test=1, rval=0x7fffffce8bf0)
    at /home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:3268
#6  0x00002b25bcb102dd in match_or_replace (cx=0x599840, obj=Variable "obj" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:1245
#7  0x00002b25bcb11151 in str_replace (cx=0x599840, obj=0x59f170, argc=2, argv=0x612970, rval=0x7fffffce8bf0)
    at /home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:1678
#8  0x00002b25bcadb512 in js_Invoke (cx=0x599840, argc=2, flags=Variable "flags" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:1246
#9  0x00002b25bcac7eb3 in js_Interpret (cx=0x599840, pc=0x6029c4 ":", result=0x7fffffce9050)
    at /home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:3903
#10 0x00002b25bcadac06 in js_Execute (cx=0x599840, chain=Variable "chain" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsinterp.c:1496
#11 0x00002b25bca94680 in JS_ExecuteScript (cx=0x599840, obj=Variable "obj" is not available.
) at /home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:4029
#12 0x0000000000402deb in ProcessFile (cx=0x599840, obj=0x59cbe0, filename=Variable "filename" is not available.
)
    at /home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:595
#13 0x0000000000403283 in ProcessArgs (cx=0x599840, obj=0x59cbe0, argv=0x7fffffcea4d0, argc=6)
    at /home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:793
#14 0x0000000000403beb in main (argc=7, argv=0x7fffffcea4c8, envp=0x7fffffcea508)
    at /home/dbaron/builds/trunk/mozilla/js/src/xpconnect/shell/xpcshell.cpp:1096


Steps to reproduce:
./run-mozilla.sh -g ./xpcshell -f ../../../../mozilla/js/tests/ecma/shell.js -f ../../../../mozilla/js/tests/ecma/ObjectObjects/shell.js -f ../../../../mozilla/js/tests/ecma/ObjectObjects/15.2.4.2.js
or
../src/Linux_All_DBG.OBJ/js -f ecma/shell.js -f ecma/ObjectObjects/shell.js -f ecma/ObjectObjects/15.2.4.2.js
(Assignee)

Comment 1

12 years ago
And I'm seeing one of the asserts a few lines below on
ecma_2/RegExp/multiline-001.js
which seems likely to be the same bug.
(Assignee)

Comment 2

12 years ago
And I see the same assertion failure in:
ecma_2/String/match-002.js
ecma_2/String/match-003.js
and a functional test failure in:
ecma_2/String/match-001.js
(Assignee)

Updated

12 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
(Assignee)

Comment 3

12 years ago
mrbkap helped me find that regexp->source was what didn't make sense, and, sure enough, looking up its pointer found that it had been freed and reused.  The allocation was here:

js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:743)
js_NewString (/home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:2530)
js_NewStringCopyN (/home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:2645)
js_NewRegExpObject (/home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:4123)

and was freed here:

js_GC (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:2148)
js_NewGCThing (/home/dbaron/builds/trunk/mozilla/js/src/jsgc.c:668)
js_NewString (/home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:2530)
js_NewStringCopyN (/home/dbaron/builds/trunk/mozilla/js/src/jsstr.c:2645)
js_AtomizeString (/home/dbaron/builds/trunk/mozilla/js/src/jsatom.c:666)
js_Atomize (/home/dbaron/builds/trunk/mozilla/js/src/jsatom.c:741)
DefineProperty (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:2365)
JS_DefineProperties (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:2452)
JS_InitClass (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:2102)
js_InitRegExpClass (/home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:4093)
JS_ResolveStandardClass (/home/dbaron/builds/trunk/mozilla/js/src/jsapi.c:1423)
BackstagePass::NewResolve(nsIXPConnectWrappedNative*, JSContext*, JSObject*, long, unsigned int, JSObject**, int*) (/home/dbaron/builds/tXPC_WN_Helper_NewResolve (/home/dbaron/builds/trunk/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1061)
js_LookupPropertyWithFlags (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2780)
js_FindConstructor (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2130)
js_GetClassPrototype (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:3926)
js_NewObject (/home/dbaron/builds/trunk/mozilla/js/src/jsobj.c:2000)
js_NewRegExpObject (/home/dbaron/builds/trunk/mozilla/js/src/jsregexp.c:4129)
(Assignee)

Comment 4

12 years ago
Created attachment 216462 [details] [diff] [review]
patch

mrbkap helped me find this problem
Attachment #216462 - Flags: review?(brendan)
(Assignee)

Comment 5

12 years ago
*** Bug 331794 has been marked as a duplicate of this bug. ***
Comment on attachment 216462 [details] [diff] [review]
patch

Not a char out of place! ;-)  Thanks.

/be
Attachment #216462 - Flags: review?(brendan)
Attachment #216462 - Flags: review+
Attachment #216462 - Flags: approval1.8.0.3?
Attachment #216462 - Flags: approval-branch-1.8.1+
(Assignee)

Comment 7

12 years ago
Checked in to trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Assignee: general → dbaron
(Assignee)

Comment 8

12 years ago
Checked in to MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+

Comment 9

12 years ago
needed in spidermonkey 1.6 for patch in bug 332415 to apply cleanly.
Blocks: 309169
Comment on attachment 216462 [details] [diff] [review]
patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216462 - Flags: approval1.8.0.3? → approval1.8.0.3+
(Assignee)

Comment 11

12 years ago
Fix checked in to MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.3
dbaron, does this no longer exist.  I'm not certain how to test this.  if it's good for you, please verify it, thanks.

Comment 13

12 years ago
No JS_ASSERT in debug 1.5.0.4 WAY_TOO_MUCH_GC builds on windows/linux.
verified fixed 1.5.0.4
Keywords: fixed1.8.0.4 → verified1.8.0.4

Updated

12 years ago
Flags: in-testsuite+

Comment 14

12 years ago
verified fixed 1.8, 1.9 20060807 linux.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1 → verified1.8.1
You need to log in before you can comment on or make changes to this bug.