Closed Bug 414871 Opened 17 years ago Closed 17 years ago

Startup fatal assertion when gczeal == 2

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta3

People

(Reporter: bzbarsky, Assigned: igor)

References

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

v2
3.38 KB, patch
igor
: review+
beltzner
: approval1.9b3+
Details | Diff | Splinter Review
BUILD: Current trunk Firefox STEPS TO REPRODUCE: 1) Set javascript.options.gczeal to 2 in about:config. 2) Quit the browser 3) Try to start the browser. EXPECTED RESULTS: Browser starts so I can debug the thing I really need to debug. ACTUAL RESULTS: (gdb) frame 0 #0 JS_Assert (s=0xb7ba2bc3 "thing", file=0xb7ba1e08 "../../../mozilla/js/src/jsgc.c", ln=1902) at ../../../mozilla/js/src/jsutil.c:63 63 abort(); with this stack: #0 JS_Assert (s=0xb7ba2bc3 "thing", file=0xb7ba1e08 "../../../mozilla/js/src/jsgc.c", ln=1902) at ../../../mozilla/js/src/jsutil.c:63 #1 0xb7b0e298 in JS_CallTracer (trc=0xbfffdde0, thing=0x0, kind=0) at ../../../mozilla/js/src/jsgc.c:1902 #2 0xb7b70ad8 in js_TraceScript (trc=0xbfffdde0, script=0x82ad960) at ../../../mozilla/js/src/jsscript.c:1535 #3 0xb7b098f8 in js_TraceFunction (trc=0xbfffdde0, fun=0xb480c480) at ../../../mozilla/js/src/jsfun.c:2017 #4 0xb7b0da98 in JS_TraceChildren (trc=0xbfffdde0, thing=0xb480c480, kind=3) at ../../../mozilla/js/src/jsgc.c:1709 #5 0xb7b0e64d in JS_CallTracer (trc=0xbfffdde0, thing=0xb480c480, kind=3) at ../../../mozilla/js/src/jsgc.c:1971 #6 0xb7b0f18e in TraceWeakRoots (trc=0xbfffdde0, wr=0x819638c) at ../../../mozilla/js/src/jsgc.c:2181 #7 0xb7b0f3be in js_TraceContext (trc=0xbfffdde0, acx=0x8196310) at ../../../mozilla/js/src/jsgc.c:2232 #8 0xb7b0f829 in js_TraceRuntime (trc=0xbfffdde0, allAtoms=1) at ../../../mozilla/js/src/jsgc.c:2298 #9 0xb7b0fdb6 in js_GC (cx=0x8196310, gckind=GC_LAST_DITCH) at ../../../mozilla/js/src/jsgc.c:2514 #10 0xb7b0cfe2 in js_NewGCThing (cx=0x8196310, flags=0, nbytes=32) at ../../../mozilla/js/src/jsgc.c:1359 #11 0xb7b36c2a in js_NewObject (cx=0x8196310, clasp=0xb7bb51a0, proto=0xb480f880, parent=0xb480f6c0) at ../../../mozilla/js/src/jsobj.c:2526 #12 0xb7acfd3d in JS_InitClass (cx=0x8196310, obj=0xb480f6c0, parent_proto=0xb480f880, clasp=0xb7bb51a0, constructor=0, nargs=0, ps=0x0, fs=0x0, static_ps=0x0, static_fs=0x0) at ../../../mozilla/js/src/jsapi.c:2658 #13 0xb7b362c1 in js_InitBlockClass (cx=0x8196310, obj=0xb480f6c0) at ../../../mozilla/js/src/jsobj.c:2258 #14 0xb7b370bf in js_GetClassObject (cx=0x8196310, obj=0xb480f6c0, key=JSProto_Block, objp=0xbfffe06c) at ../../../mozilla/js/src/jsobj.c:2697 #15 0xb7b372cf in js_FindClassObject (cx=0x8196310, start=0x0, id=61, vp=0xbfffe0b0) at ../../../mozilla/js/src/jsobj.c:2751 #16 0xb7b3b7f7 in js_GetClassPrototype (cx=0x8196310, scope=0x0, id=61, protop=0xbfffe0f0) at ../../../mozilla/js/src/jsobj.c:4473 #17 0xb7b3c19e in js_XDRObject (xdr=0x81f8948, objp=0x82ad9d0) at ../../../mozilla/js/src/jsobj.c:4748 #18 0xb7b6f47a in js_XDRScript (xdr=0x81f8948, scriptp=0xb480c48c, hasMagic=0x0) at ../../../mozilla/js/src/jsscript.c:574 #19 0xb7b07c31 in fun_xdrObject (xdr=0x81f8948, objp=0x842e470) at ../../../mozilla/js/src/jsfun.c:1291 #20 0xb7b3c27b in js_XDRObject (xdr=0x81f8948, objp=0x842e470) at ../../../mozilla/js/src/jsobj.c:4770 #21 0xb7b6f47a in js_XDRScript (xdr=0x81f8948, scriptp=0xbfffe4ec, hasMagic=0x0) at ../../../mozilla/js/src/jsscript.c:574 #22 0xb7b7eb99 in JS_XDRScript (xdr=0x81f8948, scriptp=0xbfffe4ec) at ../../../mozilla/js/src/jsxdrapi.c:690 ADDITIONAL INFORMATION: #6 0xb7b0f18e in TraceWeakRoots (trc=0xbfffdde0, wr=0x819638c) at ../../../mozilla/js/src/jsgc.c:2181 2181 JS_CALL_TRACER(trc, thing, i, weakRootNames[i]); (gdb) p weakRootNames[i] $6 = 0xb7ba300d "newborn function" #2 0xb7b70ad8 in js_TraceScript (trc=0xbfffdde0, script=0x82ad960) at ../../../mozilla/js/src/jsscript.c:1535 1535 JS_CallTracer(trc, objarray->vector[i], JSTRACE_OBJECT); (gdb) p i $21 = 1 (gdb) p *objarray $23 = {vector = 0x82ad9d0, length = 2} Looking at js_XDRScript, we read nobjects from the fastload file, create a new script with that much space for objects, then start fastloading the objects. Which means that some of the objects are going to be null during this process. This looks like a regression from bug 385729.
Flags: blocking1.9?
Blocks: 413631
Assignee: general → igor
Attached patch v1 (obsolete) — Splinter Review
The fix adds temporary routing of JSScript pointer until XDR finished decoding the script.
Attachment #300512 - Flags: review?(brendan)
Flags: blocking1.9? → blocking1.9+
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta3
Comment on attachment 300512 [details] [diff] [review] v1 This should go in pronto. /be
Attachment #300512 - Flags: review?(brendan)
Attachment #300512 - Flags: review+
Attachment #300512 - Flags: approval1.9b3?
if (xdr->mode == JSXDR_DECODE) { + if (xdr->mode == JSXDR_DECODE) + JS_POP_TEMP_ROOT(cx, &tvr); This is weird.
Attached patch v2Splinter Review
The new version removes the duplicated encoding check.
Attachment #300512 - Attachment is obsolete: true
Attachment #300541 - Flags: review+
Attachment #300541 - Flags: approval1.9b3?
Attachment #300512 - Flags: approval1.9b3?
Comment on attachment 300541 [details] [diff] [review] v2 a=beltzner for beta 3
Attachment #300541 - Flags: approval1.9b3? → approval1.9b3+
I checked in the patch from comment 4 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%252Fcvsroot&date=explicit&mindate=1201745940&maxdate=1201745942&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
That fixes things over here, thanks!
Flags: in-testsuite-
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: