Closed
Bug 453024
Opened 16 years ago
Closed 16 years ago
Mochitest Assertion failure: vp + 2 + argc <= (jsval *) cx->stackPool.current->avail, at jsinterp.cpp:1066
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b1
People
(Reporter: jorendorff, Assigned: brendan)
References
Details
(Keywords: assertion, testcase, verified1.9.1)
Attachments
(2 files, 1 obsolete file)
|
359 bytes,
text/html
|
Details | |
|
2.82 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
Steps to reproduce: Run all the Mochitests in a debug browser build. The first revision where the crash happens is: changeset: 18376:574dff8d8e89 user: Ben Karel <eschew@gmail.com> date: Mon Aug 25 13:21:28 2008 -0400 summary: Bug 293834 test. r=bzbarsky That patch introduces a new test, but the new test is not the one that asserts. I've seen these two tests hit the assertion: /tests/toolkit/content/tests/widgets/test_popup_recreate.xul /tests/toolkit/content/tests/widgets/test_bug365773.xul
|
||
Comment 1•16 years ago
|
||
This testcase triggers the same assertion, but I'm not sure it's the same bug.
|
|
||
Comment 2•16 years ago
|
||
Whatever bug is causing *me* to hit the assertion is also a recent regression, by the way.
|
Assignee | |
Comment 3•16 years ago
|
||
Diagnosed this today thanks to the TM bug 455146. /be
Assignee: general → brendan
Blocks: 455146
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
Flags: blocking1.9.0.3?
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b1
|
|
Assignee | |
Comment 4•16 years ago
|
||
From dbaron, with mrbkap steering gdb: From: "L. David Baron" <dbaron@dbaron.org> Date: September 22, 2008 5:23:58 PM PDT To: Blake Kaplan <mrbkap@gmail.com> Subject: assertion (gdb) bt #0 0x00007fda51d45b81 in nanosleep () from /lib/libc.so.6 #1 0x00007fda51d459a4 in sleep () from /lib/libc.so.6 #2 0x00007fda561cbea3 in ah_crap_handler (signum=6) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/xre/nsSigHandlers.cpp:149 #3 0x00007fda561ccb23 in nsProfileLock::FatalSignalHandler (signo=6) at nsProfileLock.cpp:216 #4 <signal handler called> #5 0x00007fda51cda095 in raise () from /lib/libc.so.6 #6 0x00007fda51cdbaf0 in abort () from /lib/libc.so.6 #7 0x00007fda55f4bcda in JS_Assert (s=<value optimized out>, file=<value optimized out>, ln=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsutil.cpp:63 #8 0x00007fda55f0390f in js_Invoke (cx=0x22938c0, argc=1, vp=0x22ac568, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1063 #9 0x00007fda55ef1e30 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4976 #10 0x00007fda55f03d54 in js_Invoke (cx=0x22938c0, argc=0, vp=0x22ac550, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1324 #11 0x00007fda55f04479 in js_InternalInvoke (cx=0x22938c0, obj=0xb476300, fval=103540352, flags=0, argc=0, argv=0x0, rval=0x7fff5e824938) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1381 #12 0x00007fda55f0459c in js_InternalGetOrSet (cx=0x22938c0, obj=0xb476300, id=140575297371380, fval=6, mode=JSACC_READ, argc=0, argv=0x0, rval=0x7fff5e824938) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1442 #13 0x00007fda55f0ff61 in js_NativeGet (cx=0x22938c0, obj=0xb476300, pobj=0x62be580, sprop=0x6fa4128, vp=0x7fff5e824938) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:3621 #14 0x00007fda55f11795 in js_GetPropertyHelper (cx=0x22938c0, obj=0xb476300, id=140575297371380, vp=0x7fff5e824938, entryp=0x7fff5e824910) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:3771 #15 0x00007fda55ef190a in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4258 #16 0x00007fda55f03d54 in js_Invoke (cx=0x22938c0, argc=0, vp=0x22ac108, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1324 #17 0x00007fda55f04479 in js_InternalInvoke (cx=0x22938c0, obj=0xb476300, fval=189229440, flags=0, argc=0, argv=0x0, rval=0x7fff5e824c40) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1381 #18 0x00007fda55eb0c73 in JS_CallFunctionValue (cx=0x22938c0, obj=0xb476300, fval=189229440, argc=0, argv=0x0, rval=0x7fff5e824c40) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsapi.cpp:5081 #19 0x00007fda48656f7e in nsXBLPrototypeBinding::AttributeChanged (this=0x0, aAttribute=0x0, aNameSpaceID=0, aRemoveFlag=34, aChangedElement=0x0, aAnonymousContent=0x7fff00000000, aNotify=194983984) at /home/dbaron/builds/mozilla-central/mozilla/content/xbl/src/nsXBLPrototypeBinding.cpp:597 #20 0x00007fda48664af9 in nsXBLSpecialDocInfo::LoadDocInfo (this=0x2caadd0) at /home/dbaron/builds/mozilla-central/mozilla/content/xbl/src/nsXBLWindowKe---Type <return> to continue, or q <return> to quit--- yHandler.cpp:130 #21 0x00007fda48664b90 in nsXBLSpecialDocInfo::LoadDocInfo (this=0x176923f0) at /home/dbaron/builds/mozilla-central/mozilla/content/xbl/src/nsXBLWindowKeyHandler.cpp:139 #22 0x00007fda4849790f in nsDocument::FindContentForSubDocument ( this=0x7fff5e824d20, aDocument=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsDocument.cpp:2654 #23 0x00007fda48678a74 in XULContentSinkImpl::OpenTag (this=0x2, aAttributes=<value optimized out>, aAttrLen=1585597776, aLineNumber=0, aNodeInfo=0x7fda48664b90) at /home/dbaron/builds/mozilla-central/mozilla/content/xul/document/src/nsXULContentSink.cpp:931 #24 0x00007fda482de0dd in nsOverflowClipWrapper::WrapItem (this=0x2, aBuilder=0x7fff5e824ef0, aItem=0x0) at /home/dbaron/builds/mozilla-central/mozilla/layout/generic/nsFrame.cpp:1076 #25 0x00007fda484c07f5 in nsGenericElement::HasAttribute (this=0x726, aName=<value optimized out>, aReturn=0x7fff5e824e00) at /home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:2308 #26 0x00007fda484bf8a5 in nsDOMEventRTTearoff::GetScriptTypeID ( this=<value optimized out>, aLang=0x726) at /home/dbaron/builds/mozilla-central/mozilla/content/base/src/nsGenericElement.cpp:1510 #27 0x00007fda4903c7b5 in nsIDOMNode_AppendChild (cx=<value optimized out>, argc=<value optimized out>, vp=0x176923f0) at dom_quickstubs.cpp:2770 #28 0x00007fda55efba48 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4960 #29 0x00007fda55f03d54 in js_Invoke (cx=0x22938c0, argc=1, vp=0x22abb40, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1324 #30 0x00007fda55f04479 in js_InternalInvoke (cx=0x22938c0, obj=0x45c14c0, fval=73143808, flags=0, argc=1, argv=0x22abb38, rval=0x22abb38) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1381 #31 0x00007fda55f0459c in js_InternalGetOrSet (cx=0x22938c0, obj=0x45c14c0, id=13002004, fval=6, mode=JSACC_WRITE, argc=1, argv=0x22abb38, rval=0x22abb38) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1442 #32 0x00007fda55f110d2 in js_SetPropertyHelper (cx=0x22938c0, obj=0x45c14c0, id=13002004, vp=0x22abb38, entryp=0x0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsobj.cpp:3895 #33 0x00007fda48ffe540 in nsXPCWrappedJSClass::CallMethod (this=0x17aa0e20, wrapper=<value optimized out>, methodIndex=6, info=0x15fe310, nativeParams=0x7fff5e825d70) at /home/dbaron/builds/mozilla-central/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1518 #34 0x00007fda55310b4a in PrepareAndDispatch (self=0x1fa06b70, methodIndex=<value optimized out>, args=0x7fff5e825ed0, gpregs=0x7fff5e825e50, fpregs=0x7fff5e825e80) at /home/dbaron/builds/mozilla-central/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:151 ---Type <return> to continue, or q <return> to quit--- #35 0x00007fda5530fe0b in SharedStub () from /home/dbaron/builds/mozilla-central/obj/firefox-debugopt/dist/bin/libxpcom_core.so #36 0x00007fda3ac6ed04 in nsAutoCompleteController::OpenPopup (this=0x1cd4030) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:945 #37 0x00007fda3ac712b0 in nsAutoCompleteController::ProcessResult ( this=0x1cd4030, aSearchIndex=0, aResult=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:1263 #38 0x00007fda3ac714fb in nsAutoCompleteController::OnSearchResult ( this=0x1cd4030, aSearch=0xb87e28, aResult=0x22133080) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/components/autocomplete/src/nsAutoCompleteController.cpp:682 #39 0x00007fda42dcbc3d in nsNavHistory::PerformAutoComplete (this=0xb87de0) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/components/places/src/nsNavHistoryAutoComplete.cpp:450 #40 0x00007fda552fe46b in nsTimerImpl::Fire (this=0xaa4a260) at /home/dbaron/builds/mozilla-central/mozilla/xpcom/threads/nsTimerImpl.cpp:420 #41 0x00007fda552fe6de in nsTimerEvent::Run (this=0x7fda3c408f50) at /home/dbaron/builds/mozilla-central/mozilla/xpcom/threads/nsTimerImpl.cpp:512 #42 0x00007fda552f9141 in nsThread::ProcessNextEvent (this=0x665310, mayWait=1, result=0x7fff5e826204) at /home/dbaron/builds/mozilla-central/mozilla/xpcom/threads/nsThread.cpp:524 #43 0x00007fda5529dcbc in NS_ProcessNextEvent_P (thread=0x726, mayWait=1) at nsThreadUtils.cpp:227 #44 0x00007fda45a5712f in nsBaseAppShell::Run (this=0x68b600) at /home/dbaron/builds/mozilla-central/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170 #45 0x00007fda45179026 in nsAppStartup::Run (this=0x860fb0) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:182 #46 0x00007fda561bf0c3 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/toolkit/xre/nsAppRunner.cpp:3222 #47 0x00000000004010c2 in main (argc=4, argv=0x7fff5e826ad8) at /home/dbaron/builds/mozilla-central/mozilla/browser/app/nsBrowserApp.cpp:156 (gdb) f 9 #9 0x00007fda55ef1e30 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4976 4976 ok = js_Invoke(cx, argc, vp, 0); (gdb) p inlineCallCount $1 = 0 (gdb) f 15 #15 0x00007fda55ef190a in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4258 4258 if (entry (gdb) p inlineCallCount $2 = 3 (gdb) f 28 #28 0x00007fda55efba48 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4960 4960 ok = ((JSFastNative) fun->u.n.native)(cx, argc, vp); (gdb) p inlineCallCount $3 = 5 (gdb) f 8 #8 0x00007fda55f0390f in js_Invoke (cx=0x22938c0, argc=1, vp=0x22ac568, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1063 1063 JS_ASSERT((jsval *) cx->stackPool.current->base <= vp); (gdb) p cx->stackPool.current->next $4 = (JSArena *) 0x0 (gdb) p cx->stackPool.current $5 = (JSArena *) 0x20e4a8b0 (gdb) p *$ $6 = {next = 0x0, base = 551856336, limit = 551864535, avail = 551856344} (gdb) p cx->stackPool $7 = {first = {next = 0x22aa560, base = 36256192, limit = 36256192, avail = 36256192}, current = 0x20e4a8b0, arenasize = 8192, mask = 7, quotap = 0x2293990} (gdb) p cx->stackPool.first.next $8 = (JSArena *) 0x22aa560 (gdb) p *$ $9 = {next = 0x20e4a8b0, base = 36349312, limit = 36357511, avail = 36357504} (gdb) p *$.next $10 = {next = 0x0, base = 551856336, limit = 551864535, avail = 551856344} (gdb) p vp $11 = (jsval *) 0x22ac568 (gdb) p cx->stackPool.current->base $12 = 551856336 (gdb) p/x $ $13 = 0x20e4a8d0 (gdb) l 1058 uint32 rootedArgsFlag; 1059 JSInterpreterHook hook; 1060 void *hookData; 1061 1062 /* [vp .. vp + 2 + argc) must belong to the last JS stack arena. */ 1063 JS_ASSERT((jsval *) cx->stackPool.current->base <= vp); 1064 JS_ASSERT(vp + 2 + argc <= (jsval *) cx->stackPool.current->avail); 1065 1066 /* 1067 * Mark the top of stack and load frequently-used registers. After this (gdb) up #9 0x00007fda55ef1e30 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4976 4976 ok = js_Invoke(cx, argc, vp, 0); (gdb) l 4971 goto error; 4972 goto end_call; 4973 } 4974 } 4975 4976 ok = js_Invoke(cx, argc, vp, 0); 4977 #ifdef INCLUDE_MOZILLA_DTRACE 4978 /* DTrace function return, non-inlines */ 4979 if (VALUE_IS_FUNCTION(cx, lval)) { 4980 if (JAVASCRIPT_FUNCTION_RVAL_ENABLED()) (gdb) p op $14 = <value optimized out> (gdb) p *regs.pc $15 = 58 ':' (gdb) p (JSOp)*regs.pc $16 = JSOP_CALL (gdb) p/x lval $17 = 0x0 (gdb) p *script $18 = {code = 0x62194a0 "�", length = 50, version = 180, nfixed = 0, objectsOffset = 0 '\0', upvarsOffset = 0 '\0', regexpsOffset = 0 '\0', trynotesOffset = 0 '\0', flags = 0 '\0', main = 0x62194a0 "�", atomMap = { vector = 0x6219458, length = 9}, filename = 0x15e3f4d "chrome://global/content/bindings/autocomplete.xml", lineno = 1184, nslots = 4, staticDepth = 0, principals = 0x791858, u = { object = 0x0, nextToGC = 0x0}, owner = 0x0} (gdb) call js_PCToLineNumber(cx,script,regs.pc) [Switching to Thread 0x7fda567f6780 (LWP 1830)] $19 = 1189 (gdb) p fp.sp - fp.spbase There is no member named sp. (gdb) p regs.sp - fp.spbase There is no member named spbase. (gdb) p *fp $20 = {regs = 0x7fff5e824320, slots = 0x22ac560, callobj = 0x0, argsobj = 0x0, varobj = 0x0, callee = 0x62be680, script = 0x6219400, fun = 0x7156070, thisp = 0xb476300, argc = 0, argv = 0x22ac560, rval = 22, down = 0x22ac3e0, annotation = 0x0, scopeChain = 0x229b3c0, sharpDepth = 0, sharpArray = 0x0, flags = 34, dormantNext = 0x0, xmlNamespace = 0x0, blockChain = 0x0, displaySave = 0x22ac3e0, pcDisabledSave = 0} (gdb) p fp.down.regs.sp $21 = (jsval *) 0x22ac538 (gdb) p regs.sp - fp.down.regs.sp $22 = 9 (gdb) up #10 0x00007fda55f03d54 in js_Invoke (cx=0x22938c0, argc=0, vp=0x22ac550, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1324 1324 ok = js_Interpret(cx); (gdb) down #9 0x00007fda55ef1e30 in js_Interpret (cx=0x22938c0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:4976 4976 ok = js_Invoke(cx, argc, vp, 0); (gdb) down #8 0x00007fda55f0390f in js_Invoke (cx=0x22938c0, argc=1, vp=0x22ac568, flags=0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsinterp.cpp:1063 1063 JS_ASSERT((jsval *) cx->stackPool.current->base <= vp); (gdb) p vp $23 = (jsval *) 0x22ac568 (gdb) p cx->stackPool.current->base $24 = 551856336 (gdb) p/x cx->stackPool.current->base $25 = 0x20e4a8d0 (gdb) p *vp $26 = 71903040 (gdb) p cx->stackPool $27 = {first = {next = 0x22aa560, base = 36256192, limit = 36256192, avail = 36256192}, current = 0x20e4a8b0, arenasize = 8192, mask = 7, quotap = 0x2293990} (gdb) p cx->stackPool.first $28 = {next = 0x22aa560, base = 36256192, limit = 36256192, avail = 36256192} (gdb) p argc $29 = 1 (gdb) p &cx->stackPool.first $30 = (JSArena *) 0x22939a0 (gdb) p $.next $31 = (JSArena *) 0x22aa560 (gdb) p $.next $32 = (JSArena *) 0x20e4a8b0 (gdb) p $.next $33 = (JSArena *) 0x0 (gdb) p/x *$31 $34 = {next = 0x20e4a8b0, base = 0x22aa580, limit = 0x22ac587, avail = 0x22ac580} (gdb) p *$32 $35 = {next = 0x0, base = 551856336, limit = 551864535, avail = 551856344} (gdb) p/x *$32 $36 = {next = 0x0, base = 0x20e4a8d0, limit = 0x20e4c8d7, avail = 0x20e4a8d8} (gdb) p/x $36.limit - $36.base $37 = 0x2007 (gdb) p/x $36.avail - $36.base $38 = 0x8 (gdb) p/x $36.base[0] cannot subscript something of type `long unsigned int' (gdb) p/x ((jsval*)$36.base)[0] $39 = 0x0 (gdb) p/x ((jsval*)$36.base)[1] $40 = 0xdadadadadadadada (gdb) p/x ((jsval*)$36.base)[2] $41 = 0xdadadadadadadada (gdb) p/x ((jsval*)$36.base)[3] $42 = 0xdadadadadadadada (gdb) p *$31 $43 = {next = 0x20e4a8b0, base = 36349312, limit = 36357511, avail = 36357504} (gdb) p/x $43.limit - $43.avail $44 = 0x7 (gdb) p/x ((jsval*)$43.avail)[0] $45 = 0xdadadadadadada (gdb) p/x ((jsval*)$43.avail)[-1] $46 = 0x674e540 (gdb) p/x ((jsval*)$43.avail)[-2] $47 = 0x4492700 (gdb) p (JSObject*)$46 $48 = (JSObject *) 0x674e540 (gdb) p *(JSObject*)$46 $49 = {map = 0x2cb82a0, classword = 8957130, fslots = {46898880, 36146816, 108349137, 22, 22}, dslots = 0x0} (gdb) p *(JSClass*)$49.classword $50 = {name = 0xd000000000088 <Address 0xd000000000088 out of bounds>, flags = 9, addProperty = 0xcad000007fda4900, delProperty = 0xd70000007fda4900, getProperty = 0xcad000007fda55ea, setProperty = 0xd71000007fda4900, enumerate = 0xfe7000007fda55ea, resolve = 0xfbd000007fda4900, convert = 0xfb9000007fda4900, finalize = 0xc4d000007fda4900, getObjectOps = 0x7fda4900, checkAccess = 0, call = 0, construct = 0, xdrObject = 0xeef0000000000000, hasInstance = 0x10c000007fda4900, mark = 0x7fda4901, reserveSlots = 0xf980000000000000} (gdb) p *(JSClass*)($49.classword-1) $51 = {name = 0xd000000000088ac <Address 0xd000000000088ac out of bounds>, flags = 2304, addProperty = 0xd000007fda4900ca, delProperty = 0x7fda4900ca, getProperty = 0xd000007fda55ead7, setProperty = 0x1000007fda4900ca, enumerate = 0x7000007fda55ead7, resolve = 0xd000007fda4900fe, convert = 0x9000007fda4900fb, finalize = 0xd000007fda4900fb, getObjectOps = 0x7fda4900c4, checkAccess = 0, call = 0, construct = 0, xdrObject = 0xf000000000000000, hasInstance = 0xc000007fda4900ee, mark = 0x7fda490110, reserveSlots = 0x8000000000000000} (gdb) p/x 8957130 $52 = 0x88acca (gdb) p *(JSClass*)($49.classword-2) $53 = {name = 0x88aca0 "nsJSIID", flags = 589837, addProperty = 0x7fda4900cad0 <XPC_WN_MaybeResolvingPropertyStub>, delProperty = 0x7fda4900cad0 <XPC_WN_MaybeResolvingPropertyStub>, getProperty = 0x7fda55ead700 <JS_PropertyStub>, setProperty = 0x7fda4900cad0 <XPC_WN_MaybeResolvingPropertyStub>, enumerate = 0x7fda55ead710 <JS_EnumerateStub>, resolve = 0x7fda4900fe70 <XPC_WN_Helper_NewResolve>, convert = 0x7fda4900fbd0 <XPC_WN_Shared_Convert>, finalize = 0x7fda4900fb90 <XPC_WN_NoHelper_Finalize>, getObjectOps = 0x7fda4900c4d0 <XPC_WN_GetObjectOpsNoCall(JSContext*, JSClass*)>, checkAccess = 0, call = 0, construct = 0, xdrObject = 0, hasInstance = 0x7fda4900eef0 <XPC_WN_Helper_HasInstance>, mark = 0x7fda490110c0 <XPC_WN_Shared_Trace>, reserveSlots = 0} (gdb) p (JSObject*)$47 $54 = (JSObject *) 0x4492700 (gdb) p *$ $55 = {map = 0x4494e90, classword = 8809242, fslots = {71902912, 36146816, 71912945, 22, 22}, dslots = 0x0} (gdb) p/x $55.classword $56 = 0x866b1a (gdb) p *(JSClass*)($55.classword-2) $57 = {name = 0x866930 "nsJSCID", flags = 589837, addProperty = 0x7fda4900cca0 <XPC_WN_CannotModifyPropertyStub>, delProperty = 0x7fda4900cca0 <XPC_WN_CannotModifyPropertyStub>, getProperty = 0x7fda55ead700 <JS_PropertyStub>, setProperty = 0x7fda4900cca0 <XPC_WN_CannotModifyPropertyStub>, enumerate = 0x7fda490103a0 <XPC_WN_Shared_Enumerate>, resolve = 0x7fda4900fe70 <XPC_WN_Helper_NewResolve>, convert = 0x7fda4900fbd0 <XPC_WN_Shared_Convert>, finalize = 0x7fda4900fb90 <XPC_WN_NoHelper_Finalize>, getObjectOps = 0x7fda4900c4e0 <XPC_WN_GetObjectOpsWithCall(JSContext*, JSClass*)>, checkAccess = 0, call = 0, construct = 0x7fda4900efc0 <XPC_WN_Helper_Construct>, xdrObject = 0, hasInstance = 0x7fda4900eef0 <XPC_WN_Helper_HasInstance>, mark = 0x7fda490110c0 <XPC_WN_Shared_Trace>, reserveSlots = 0} The bug is in the missing arguments handling for the inline_call: code in the interpreter, when newsp is advanced to point just after the missing args, and found to fit within cx->stackPool.current->[base, avail) -- that code stuffs undefined for the missing args by looping with *--newsp = JSVAL_VOID -- which leaves newsp pointing at the first missing arg! The following code allocates the JSInlineFrame starting at that slot, and disaster ensues. /be
|
|
Assignee | |
Comment 5•16 years ago
|
||
Attachment #340083 -
Flags: review?(mrbkap)
|
||
Updated•16 years ago
|
Attachment #340083 -
Flags: review+
|
||
Updated•16 years ago
|
Attachment #340083 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 7•16 years ago
|
||
The regression here is from patch for bug 441686 -- the newsp regression is not biting here, and I don't know of a bug on it other than the twin bug afflicting a proposed patch to jstracer.cpp. I'm patching both regressions here, even though I could split out the first hunk into a patch for this bug and file a new bug with the remaining hunks attached as a separate patch if it seems necessary. At this point I'd rather get these fixes in quickly. /be
Attachment #340083 -
Attachment is obsolete: true
Attachment #340107 -
Flags: review?(igor)
|
|
Assignee | |
Updated•16 years ago
|
Attachment #340107 -
Attachment is patch: true
Attachment #340107 -
Attachment mime type: application/octet-stream → text/plain
|
|
Assignee | |
Updated•16 years ago
|
|
|
||
Comment 8•16 years ago
|
||
Comment on attachment 340107 [details] [diff] [review] fix, v2 Sigh, I had at one point ta patch with &mark, but then went to overzealous optimizations.
Attachment #340107 -
Flags: review?(igor) → review+
|
|
Assignee | |
Comment 9•16 years ago
|
||
Fixed on tracemonkey: http://hg.mozilla.org/tracemonkey/rev/905b20c947cf Trying to get tm and m-c sync'ed again tonight (this a.m. -- 0213 here). /be
|
|
Assignee | |
Comment 10•16 years ago
|
||
Fixed on mozilla-central: http://hg.mozilla.org/mozilla-central/rev/18362cc51299 /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•16 years ago
|
||
There is no newsp problem. Here is the original unpatched code in full:
a = cx->stackPool.current;
newmark = (void *) a->avail;
if (fun->nargs <= argc) {
missing = 0;
} else {
newsp = vp + 2 + fun->nargs;
JS_ASSERT(newsp > regs.sp);
if ((jsuword) newsp <= a->limit) {
if ((jsuword) newsp > a->avail)
a->avail = (jsuword) newsp;
do {
*--newsp = JSVAL_VOID;
} while (newsp != regs.sp);
missing = 0;
} else {
...
}
}
/* Allocate the inline frame with its slots and operands. */
if (a->avail + nbytes <= a->limit) {
newsp = (jsval *) a->avail;
...
} else {
JS_ARENA_ALLOCATE_CAST(newsp, jsval *, &cx->stackPool,
nbytes);
...
Note how newsp is always reinitialized so the previous mutations of newsp does not count. So there is no bug in that code and so there is no bug on 1.9.0 branch.
On the other hand the trunk-only bug in js_Execute with missing &mark is real. But it just leads to a temporary leak of a stack space, not a crash. So something causes the segfault.Status: RESOLVED → REOPENED
Flags: blocking1.9.0.3?
Resolution: FIXED → ---
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Comment 12•16 years ago
|
||
The bug is indeed a regression from bug 441686. It happens when a fast native calls a function like JS_EvaluateUCScriptForPrincipals which in turn calls js_Execute. When the latter forgets to release the extra allocated stack, the control eventually returns to the interpreter with cx->stackPool.current pointing to an arena that was allocated after one containing regs.sp. This is exactly what the test case demonstrates since after landing the bug 407216 DOM's attachNode became a fast native. Thus, when after the attaching a script element its script is executed via EvaluateUCScriptForPrincipals, one would get a call to JS_EvaluateUCScriptForPrincipals from a fast native.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 13•16 years ago
|
||
Igor: thanks, I copied badly from interpreter to tracer and lost the re-init of newsp. In that light we could revert the argsp change. Thoughts? /be
|
|
||
Comment 14•16 years ago
|
||
(In reply to comment #13) > Igor: thanks, I copied badly from interpreter to tracer and lost the re-init of > newsp. In that light we could revert the argsp change. Thoughts? That change to JSOP_CALL does not harm. Modern compilers should generate the same code with or without the change. So lets keep that to avoise hg blame noise.
|
||
Comment 15•16 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-453024.js,v <-- regress-453024.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/b04c04268a94
Flags: in-testsuite+
Flags: in-litmus-
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
|
|
||
Comment 16•16 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•