Closed
Bug 414871
Opened 17 years ago
Closed 17 years ago
Startup fatal assertion when gczeal == 2
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9beta3
People
(Reporter: bzbarsky, Assigned: igor)
References
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
|
3.38 KB,
patch
|
igor
:
review+
beltzner
:
approval1.9b3+
|
Details | Diff | Splinter Review |
BUILD: Current trunk Firefox
STEPS TO REPRODUCE:
1) Set javascript.options.gczeal to 2 in about:config.
2) Quit the browser
3) Try to start the browser.
EXPECTED RESULTS: Browser starts so I can debug the thing I really need to debug.
ACTUAL RESULTS:
(gdb) frame 0
#0 JS_Assert (s=0xb7ba2bc3 "thing", file=0xb7ba1e08 "../../../mozilla/js/src/jsgc.c",
ln=1902) at ../../../mozilla/js/src/jsutil.c:63
63 abort();
with this stack:
#0 JS_Assert (s=0xb7ba2bc3 "thing", file=0xb7ba1e08 "../../../mozilla/js/src/jsgc.c",
ln=1902) at ../../../mozilla/js/src/jsutil.c:63
#1 0xb7b0e298 in JS_CallTracer (trc=0xbfffdde0, thing=0x0, kind=0)
at ../../../mozilla/js/src/jsgc.c:1902
#2 0xb7b70ad8 in js_TraceScript (trc=0xbfffdde0, script=0x82ad960)
at ../../../mozilla/js/src/jsscript.c:1535
#3 0xb7b098f8 in js_TraceFunction (trc=0xbfffdde0, fun=0xb480c480)
at ../../../mozilla/js/src/jsfun.c:2017
#4 0xb7b0da98 in JS_TraceChildren (trc=0xbfffdde0, thing=0xb480c480, kind=3)
at ../../../mozilla/js/src/jsgc.c:1709
#5 0xb7b0e64d in JS_CallTracer (trc=0xbfffdde0, thing=0xb480c480, kind=3)
at ../../../mozilla/js/src/jsgc.c:1971
#6 0xb7b0f18e in TraceWeakRoots (trc=0xbfffdde0, wr=0x819638c)
at ../../../mozilla/js/src/jsgc.c:2181
#7 0xb7b0f3be in js_TraceContext (trc=0xbfffdde0, acx=0x8196310)
at ../../../mozilla/js/src/jsgc.c:2232
#8 0xb7b0f829 in js_TraceRuntime (trc=0xbfffdde0, allAtoms=1)
at ../../../mozilla/js/src/jsgc.c:2298
#9 0xb7b0fdb6 in js_GC (cx=0x8196310, gckind=GC_LAST_DITCH)
at ../../../mozilla/js/src/jsgc.c:2514
#10 0xb7b0cfe2 in js_NewGCThing (cx=0x8196310, flags=0, nbytes=32)
at ../../../mozilla/js/src/jsgc.c:1359
#11 0xb7b36c2a in js_NewObject (cx=0x8196310, clasp=0xb7bb51a0, proto=0xb480f880,
parent=0xb480f6c0) at ../../../mozilla/js/src/jsobj.c:2526
#12 0xb7acfd3d in JS_InitClass (cx=0x8196310, obj=0xb480f6c0, parent_proto=0xb480f880,
clasp=0xb7bb51a0, constructor=0, nargs=0, ps=0x0, fs=0x0, static_ps=0x0,
static_fs=0x0) at ../../../mozilla/js/src/jsapi.c:2658
#13 0xb7b362c1 in js_InitBlockClass (cx=0x8196310, obj=0xb480f6c0)
at ../../../mozilla/js/src/jsobj.c:2258
#14 0xb7b370bf in js_GetClassObject (cx=0x8196310, obj=0xb480f6c0, key=JSProto_Block,
objp=0xbfffe06c) at ../../../mozilla/js/src/jsobj.c:2697
#15 0xb7b372cf in js_FindClassObject (cx=0x8196310, start=0x0, id=61, vp=0xbfffe0b0)
at ../../../mozilla/js/src/jsobj.c:2751
#16 0xb7b3b7f7 in js_GetClassPrototype (cx=0x8196310, scope=0x0, id=61,
protop=0xbfffe0f0) at ../../../mozilla/js/src/jsobj.c:4473
#17 0xb7b3c19e in js_XDRObject (xdr=0x81f8948, objp=0x82ad9d0)
at ../../../mozilla/js/src/jsobj.c:4748
#18 0xb7b6f47a in js_XDRScript (xdr=0x81f8948, scriptp=0xb480c48c, hasMagic=0x0)
at ../../../mozilla/js/src/jsscript.c:574
#19 0xb7b07c31 in fun_xdrObject (xdr=0x81f8948, objp=0x842e470)
at ../../../mozilla/js/src/jsfun.c:1291
#20 0xb7b3c27b in js_XDRObject (xdr=0x81f8948, objp=0x842e470)
at ../../../mozilla/js/src/jsobj.c:4770
#21 0xb7b6f47a in js_XDRScript (xdr=0x81f8948, scriptp=0xbfffe4ec, hasMagic=0x0)
at ../../../mozilla/js/src/jsscript.c:574
#22 0xb7b7eb99 in JS_XDRScript (xdr=0x81f8948, scriptp=0xbfffe4ec)
at ../../../mozilla/js/src/jsxdrapi.c:690
ADDITIONAL INFORMATION:
#6 0xb7b0f18e in TraceWeakRoots (trc=0xbfffdde0, wr=0x819638c)
at ../../../mozilla/js/src/jsgc.c:2181
2181 JS_CALL_TRACER(trc, thing, i, weakRootNames[i]);
(gdb) p weakRootNames[i]
$6 = 0xb7ba300d "newborn function"
#2 0xb7b70ad8 in js_TraceScript (trc=0xbfffdde0, script=0x82ad960)
at ../../../mozilla/js/src/jsscript.c:1535
1535 JS_CallTracer(trc, objarray->vector[i], JSTRACE_OBJECT);
(gdb) p i
$21 = 1
(gdb) p *objarray
$23 = {vector = 0x82ad9d0, length = 2}
Looking at js_XDRScript, we read nobjects from the fastload file, create a new script with that much space for objects, then start fastloading the objects. Which means that some of the objects are going to be null during this process.
This looks like a regression from bug 385729.Flags: blocking1.9?
|
Assignee | |
Updated•17 years ago
|
Assignee: general → igor
|
|
Assignee | |
Comment 1•17 years ago
|
||
The fix adds temporary routing of JSScript pointer until XDR finished decoding the script.
Attachment #300512 -
Flags: review?(brendan)
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta3
|
|
||
Comment 2•17 years ago
|
||
Comment on attachment 300512 [details] [diff] [review] v1 This should go in pronto. /be
Attachment #300512 -
Flags: review?(brendan)
Attachment #300512 -
Flags: review+
Attachment #300512 -
Flags: approval1.9b3?
|
||
Comment 3•17 years ago
|
||
if (xdr->mode == JSXDR_DECODE) {
+ if (xdr->mode == JSXDR_DECODE)
+ JS_POP_TEMP_ROOT(cx, &tvr);
This is weird.|
|
Assignee | |
Comment 4•17 years ago
|
||
The new version removes the duplicated encoding check.
Attachment #300512 -
Attachment is obsolete: true
Attachment #300541 -
Flags: review+
Attachment #300541 -
Flags: approval1.9b3?
Attachment #300512 -
Flags: approval1.9b3?
|
||
Comment 5•17 years ago
|
||
Comment on attachment 300541 [details] [diff] [review] v2 a=beltzner for beta 3
Attachment #300541 -
Flags: approval1.9b3? → approval1.9b3+
|
|
Assignee | |
Comment 7•17 years ago
|
||
I checked in the patch from comment 4 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%252Fcvsroot&date=explicit&mindate=1201745940&maxdate=1201745942&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 8•17 years ago
|
||
That fixes things over here, thanks!
|
||
Updated•16 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•