Closed
Bug 391033
Opened 17 years ago
Closed 17 years ago
"Assertion failure: (size_t)nslots >= (size_t)(fp->down->sp - vp)" with gczeal and trying to call a non-function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: igor)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?] regression from 390078)
Attachments
(3 files, 1 obsolete file)
4.81 KB,
patch
|
brendan
:
review+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
2.51 KB,
text/plain
|
Details | |
2.40 KB,
text/plain
|
Details |
js> gczeal(2); ({})(); Assertion failure: (size_t)nslots >= (size_t)(fp->down->sp - vp), at jsgc.c:2000
Assignee | ||
Updated•17 years ago
|
Assignee: general → igor
Assignee | ||
Comment 1•17 years ago
|
||
Here is a test case that does not use gczeal but rather invokes gc at the right place: ~/m/trunk/mozilla> js -e '({toSource: gc})()' Assertion failure: (size_t)nslots >= (size_t)(fp->down->sp - vp), at jsgc.c:2000 Trace/breakpoint trap
Assignee | ||
Comment 2•17 years ago
|
||
The bug is regression from my fix for bug 390078. The reason for it is that ReportIsNotFunction from jsobj.c removes the current frame for a native call from JS stack and put it to the dormant list. Thus the previous frame becomes the top of the stack again. When later js_Invoke is eventually called to invoke toSource on the function object, the available stack space on that frame is used for arguments and extras for the call producing a stack layout like: previousFrame.spbase ... dormantFrame.argv[-2] dormantFrame.argv[-1] toSourceFrame[-2] .. toSourceFrame[extra0] .. previousFrame.sp Thus fp->argv can be a proper subsegment of fp->down->spbase..fp->down->sp and the assert is bogus.
Blocks: 390078
Assignee | ||
Comment 3•17 years ago
|
||
Besides the fix itself the patch also changes js_TraceContext not to link the active frames to the dormant chain even temporarily. For me it simplified life when debugging.
Attachment #275472 -
Flags: review?(brendan)
Attachment #275472 -
Flags: approval1.9?
Comment 4•17 years ago
|
||
Comment on attachment 275472 [details] [diff] [review] fix v1 >@@ -1992,18 +1993,29 @@ js_TraceStackFrame(JSTracer *trc, JSStac > /* > * Avoid unnecessary tracing in the common case when args overlaps > * with the stack segment of the previous frame. That segment is > * traced via the above spbase code and, when sp > spbase + depth, > * during tracing of the stack headers in js_TraceContext. > */ > if (JS_UPTRDIFF(vp, fp->down->spbase) < > JS_UPTRDIFF(fp->down->sp, fp->down->spbase)) { >- JS_ASSERT((size_t)nslots >= (size_t)(fp->down->sp - vp)); >- nslots -= (uintN)(fp->down->sp - vp); >+ nslots -= fp->down->sp - vp; >+ if (nslots < 0) { >+ /* >+ * This is possible when, for example, ReportIsNotFunction >+ * from jsobj.c moves cx->fp to a dormant list before "moves cx->fp to cx's dormant list" or "moves cx->fp to cx->dormantFrameChain" even. >+ * calling js_ReportIsNotFunction. When the latter calls >+ * js_InternalInvoke to invoke toSource, 2 frames points "two frames point" >+ * to fp->down and fp->down->spbase..sp may contain the comma after "to fp->down" >+ * argument arrays for both. It leads to a negative nslots >+ * here for the dormant frame. >+ */ >+ nslots = 0; Is this sufficient, or could we end up overscanning a little bit? It seems more attractive to cope with the odd ReportIsNotFunction case by detecting it more directly. Or else get rid of that odd case ;-). >+ /* The top frame can not be dormant. */ "cannot" or (better) "must not". /be
Assignee | ||
Comment 5•17 years ago
|
||
The new fix removes ReportIsNotFunction and calls js_ReportIsNotFunction directly from js_Call/js_Construct. This should not affect error reporting as js_ReportIsNotFunction searches for interpreter frames on its own and calling js_Call/js_Construct is always down through a native frame. Thus removal of the top stack frame is effectively no-op from error handling point of view.
Attachment #275472 -
Attachment is obsolete: true
Attachment #275501 -
Flags: review?(brendan)
Attachment #275501 -
Flags: approval1.9?
Attachment #275472 -
Flags: review?(brendan)
Attachment #275472 -
Flags: approval1.9?
Comment 6•17 years ago
|
||
What was the original reason for ReportIsNotFunction? There must have been a case that seemed to want to hide the top frame. Ah, here's the commit info: revision 3.99 date: 2001/09/05 21:25:09; author: jband%netscape.com; state: Exp; lines: +30 -13 fix bug 97444. It is not good to patch a different fun into the frame. Let's safely shunt aside the callee frame instead. r=rogerl sr=brendan Does your patch regress bug 97444 ? /be
Assignee | ||
Comment 7•17 years ago
|
||
(In reply to comment #6) > What was the original reason for ReportIsNotFunction? There must have been a > case that seemed to want to hide the top frame. Ah, here's the commit info: > > revision 3.99 > date: 2001/09/05 21:25:09; author: jband%netscape.com; state: Exp; lines: > +30 -13 > fix bug 97444. It is not good to patch a different fun into the frame. Let's > safely shunt aside the callee frame instead. r=rogerl sr=brendan > I should remember the next time to check and comment it. > Does your patch regress bug 97444 ? No: with the invention of jSStackFrame.callee the problem described in bug 97444 comment 11 is no longer exists as the js_Call does not manipulates the callee field.
Comment 8•17 years ago
|
||
Comment on attachment 275501 [details] [diff] [review] fix v2 Great to see that code go away. /be
Attachment #275501 -
Flags: review?(brendan)
Attachment #275501 -
Flags: review+
Attachment #275501 -
Flags: approval1.9?
Attachment #275501 -
Flags: approval1.9+
Assignee | ||
Comment 9•17 years ago
|
||
I checked in the patch from comment 8 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1186812601&maxdate=1186812841&who=igor%mir2.org
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Comment 10•17 years ago
|
||
Comment 11•17 years ago
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Comment 13•14 years ago
|
||
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•