TM: assertion of "size_t(p - cx->fp->slots) < cx->fp->script->nslots"

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Status:
RESOLVED FIXED
Reported:
10 years ago
Modified:
10 years ago

People

(Reporter: m_kato, Assigned: m_kato)

Tracking

Version:
unspecified
Platform:
x86
Linux
Points:
---
Bug Flags:
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

patch v1
906 bytes, patch
dvander
: review-
Details | Diff | Splinter Review
patch v2
542 bytes, patch
m_kato
: review+
Details | Diff | Splinter Review
(Assignee)

Description

10 years ago 
Created attachment 338292 [details] [diff] [review]
patch v1

On x86-64, the following script causes assertion.

js> function test() { function f0() { return arguments[0]; } for (var i = 0; i < 4; i++) f0('a'); } test();

Global shape mismatch (124 vs. 0) in RecordTree, flushing cache.
Flushing cache.
recording starting from typein:1@14
    trace

import vp=0x82e870 name=$callee0 type=object flags=0
import vp=0x82e878 name=$this0 type=object flags=0
import vp=0x82e960 name=$test.f0 type=object flags=0
import vp=0x82e968 name=$test.i type=int flags=0
    state = param rdi
    param1 = param rsi
    sp = ldq state[0]
    rp = ldq state[8]
    cx = ldq state[24]
    gp = ldq state[16]
    eos = ldq state[32]
    eor = ldq state[40]
    $callee0 = ldq sp[-32]
    $this0 = ldq sp[-24]
    $test.f0 = ldq sp[-16]
    ld1 = ld sp[-8]
    $test.i = i2f ld1
    sp[0] = $test.f0
    sp[8] = 0
    sp[16] = ATOM_TO_STRING(atom)
    guard(shapeless callee) = eq $test.f0, JSVAL_TO_OBJECT(callee)
    xf1: xf guard(shapeless callee) -> 0x82e784 sp+24 rp+0

EnterFrame f0, callDepth=1
Assertion failure: size_t(p - cx->fp->slots) < cx->fp->script->nslots, at jstracer.cpp:936
Aborted
 (Assignee)

Updated

10 years ago
Attachment #338292 - Flags: review?(danderson)
 (Assignee)

Updated

10 years ago
Assignee: general → m_kato

Comment 1

10 years ago 
Comment on attachment 338292 [details] [diff] [review]
patch v1

This is definitely a valid bug.  We don't want to abort the trace though, we're supposed to be filling missing parameters with JSVAL_VOID (which works on x86).
Attachment #338292 - Flags: review?(danderson) → review-

Comment 2

10 years ago 
Created attachment 338697 [details] [diff] [review]
patch v2

It looks like (fp->fun->nargs - fp->argc) wasn't being sign-extended, so the pointer math became (ptr + 0x00000000FFFFFFFF).  Maybe the math being in a parenthetical expression caused this.

Attached a new patch.
Attachment #338697 - Flags: review?(m_kato)
 (Assignee)

Updated

10 years ago
Attachment #338697 - Flags: review?(m_kato) → review+
 (Assignee)

Comment 3

10 years ago 
Comment on attachment 338697 [details] [diff] [review]
patch v2

Thanks, it works fine.

Comment 4

10 years ago 
Pushed fix to tracemonkey branch as revision http://hg.mozilla.org/tracemonkey/rev/93cc00a53bd8
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 5

10 years ago 
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-454981.js,v  <--  regress-454981.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/b7070ea346fc
Flags: in-testsuite+
Flags: in-litmus-

Comment 6

10 years ago 
note to self: js1_8_1/trace/trace-test.js also exhibits this assertion on m-c.
You need to log in before you can comment on or make changes to this bug.