TM: "Assertion failure: !fp->callee || fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1])"

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

(Blocks: 1 bug, {assertion, testcase, verified1.9.1})

Trunk
mozilla1.9.2a1
assertion, testcase, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

9 years ago
Giving this script to "./js -j" as a file or paste triggers an assertion.

version(180);
var e = eval;
for (var a in this) { }
(function() { eval("this; for (let b in [0,1,2]) { }"); })();

Assertion failure: !fp->callee || fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1]), at jstracer.cpp:2624

I'm curious what's going on here.  For example, why is the version() call needed?  I thought 180 was the default.

Comment 1

9 years ago
Not a beta blocker IMO. Its some eval ugliness and let isn't used in content a lot. I take care of it after beta1.
Assignee: general → gal
Flags: blocking1.9.1?
Priority: -- → P3
Target Milestone: --- → mozilla1.9.1

Updated

9 years ago
Severity: critical → major
(Reporter)

Comment 2

9 years ago
Smaller testcase:

(function(){ eval('this'); (function(){ for(let y in [0,1,2]) 6;})(); })()

Assertion failure: !fp->callee || fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1]), at jstracer.cpp:2817

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
(Reporter)

Comment 3

9 years ago
http://spreeder.com/ triggers this assertion.
note also http://cgi.ebay.de/ws/eBayISAPI.dll?ViewItem&Item=230300747535&Category=66406 triggers this assertion - i also crashed on this site - Bug 464381

Updated

9 years ago
Duplicate of this bug: 464381
(Assignee)

Updated

9 years ago
Blocks: 465058
http://www.myfoxatlanta.com/myfox/pages/News/Detail?contentId=7858948&version=2&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 triggers this assertion for me. If these sites are all the same bug, we should fix it for beta2 if we can.

Comment 7

9 years ago
Any updates here?
(Assignee)

Comment 8

9 years ago
I think this is a bogus assertion, nothing more. Opt build WFM. Jesse, do you agree? Thanks,

/be
(Reporter)

Comment 9

9 years ago
Opt build WFM, but I have no opinion on whether the assertion is bogus.
Hi, 

i was running into this fatal assertion during the Topsite Testrun on a lot of pages like http://www.myfoxatlanta.com, myfoxcleveland.com, myfoxchicago.com etc..

So when this assertion is bogus, it would help the Topsite Testrun a lot when this assertion got fixed/removed :)
(Assignee)

Comment 11

9 years ago
I no longer think this assertion is bogus. Seems to me we should be calling js_ComputeThis from TraceRecorder::getThis. Andreas, what do you think?

/be

Comment 12

9 years ago
I will take a look at the js_ComputeThis logic.

Updated

9 years ago
Severity: major → critical
Priority: P3 → P2
(Assignee)

Comment 13

9 years ago
Created attachment 367554 [details] [diff] [review]
fix bogus assertion

This is getting in the way of fuzzing upvar2. It also does seem to be just a bogus assertion, nothing more.

/be
Assignee: gal → brendan
Attachment #367554 - Flags: review?(gal)
(Assignee)

Updated

9 years ago
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All

Updated

9 years ago
Attachment #367554 - Flags: review?(gal) → review+

Comment 14

9 years ago
http://hg.mozilla.org/tracemonkey/rev/10b781704400
Whiteboard: fixed-in-tracemonkey

Comment 15

9 years ago
tinderbox says this doesn't pass trace tests in debug mode.

Comment 16

9 years ago
JS_Assert (s=0x1acb24 "(fp->flags & JSFRAME_COMPUTED_THIS) ? fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1]) : !fp->thisp", file=0x1aaf9e "../jstracer.cpp", ln=4216) at ../jsutil.cpp:68
68	    abort();
(gdb) bt
#0  JS_Assert (s=0x1acb24 "(fp->flags & JSFRAME_COMPUTED_THIS) ? fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1]) : !fp->thisp", file=0x1aaf9e "../jstracer.cpp", ln=4216) at ../jsutil.cpp:68
#1  0x0012a380 in LeaveTree (state=@0xbfffece8, lr=0x260624) at ../jstracer.cpp:4213
#2  0x0012aa6d in js_ExecuteTree (cx=0x30bca0, f=0x3287c0, inlineCallCount=@0xbffff200, innermostNestedGuardp=0xbfffedc4) at ../jstracer.cpp:3998
#3  0x0014f663 in js_MonitorLoopEdge (cx=0x30bca0, inlineCallCount=@0xbffff200) at ../jstracer.cpp:4315
#4  0x00070530 in js_Interpret (cx=0x30bca0) at ../jsinterp.cpp:3689
#5  0x0009067e in js_Execute (cx=0x30bca0, chain=0x29d000, script=0x863e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1546
#6  0x00010e8a in JS_ExecuteScript (cx=0x30bca0, obj=0x29d000, script=0x863e00, rval=0x0) at ../jsapi.cpp:5038
#7  0x00009d28 in Process (cx=0x30bca0, obj=0x29d000, filename=0xbffff97c "trace-test.js", forceTTY=0) at ../../shell/js.cpp:392
#8  0x0000aa3e in ProcessArgs (cx=0x30bca0, obj=0x29d000, argv=0xbffff87c, argc=2) at ../../shell/js.cpp:786
#9  0x0000ad46 in main (argc=2, argv=0xbffff87c, envp=0xbffff888) at ../../shell/js.cpp:4638
(gdb) up
#1  0x0012a380 in LeaveTree (state=@0xbfffece8, lr=0x260624) at ../jstracer.cpp:4213
4213	        JS_ASSERT_IF(fp->callee,
(gdb) list
4208	
4209	#ifdef DEBUG
4210	    // Verify that our state restoration worked
4211	    for (JSStackFrame* fp = cx->fp; fp; fp = fp->down) {
4212	        JS_ASSERT(!fp->callee || JSVAL_IS_OBJECT(fp->argv[-1]));
4213	        JS_ASSERT_IF(fp->callee,
4214	                     (fp->flags & JSFRAME_COMPUTED_THIS)
4215	                     ? fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1])
4216	                     : !fp->thisp);
4217	    }
(gdb) p *fp
$1 = {
  regs = 0x861e38, 
  imacpc = 0x0, 
  slots = 0x861da4, 
  callobj = 0x2b3180, 
  argsobj = 0x0, 
  varobj = 0x2b3180, 
  callee = 0x2a37e0, 
  script = 0x30e0d0, 
  fun = 0x2a37e0, 
  thisp = 0x29d000, 
  argc = 1, 
  argv = 0x861ce0, 
  rval = 22, 
  down = 0xbffff5f4, 
  annotation = 0x0, 
  scopeChain = 0x2b3180, 
  sharpDepth = 0, 
  sharpArray = 0x0, 
  flags = 0, 
  dormantNext = 0x0, 
  xmlNamespace = 0x0, 
  blockChain = 0x0, 
  displaySave = 0x0, 
  pcDisabledSave = 0
}
(gdb) p fp->argv[-1]
$2 = 2740224
(gdb) p/x fp->argv[-1]
$3 = 0x29d000
(gdb) p fp.thisp 
$4 = (JSObject *) 0x29d000
(gdb) p fp.flags
$5 = 0

thisp == argv[-1], but the flag isn't set
Whiteboard: fixed-in-tracemonkey
(function() {
  new function (){ for (var x = 0; x < 3; ++x){} };
})();

is a testcase that asserts at Assertion failure: (fp->flags & JSFRAME_COMPUTED_THIS) ? fp->thisp == JSVAL_TO_OBJECT(fp->argv[-1]) : !fp->thisp, at ../jstracer.cpp:4216
(Assignee)

Comment 19

9 years ago
Created attachment 367589 [details] [diff] [review]
fix bogus assertion, v2

Sorry, should not have done the late night untested patch and ok'ed Andreas trying a landing.

/be
Attachment #367554 - Attachment is obsolete: true
Attachment #367589 - Flags: review?(mrbkap)

Updated

9 years ago
Attachment #367589 - Flags: review?(mrbkap) → review+

Comment 20

9 years ago
http://hg.mozilla.org/tracemonkey/rev/2b876ac7541d
Whiteboard: fixed-in-tracemonkey
(Assignee)

Comment 21

9 years ago
Clearing out nit-picks in my mq, so I can refresh upvar2:

http://hg.mozilla.org/tracemonkey/rev/b207ddd44671

/be

Comment 22

9 years ago
http://hg.mozilla.org/mozilla-central/rev/2b876ac7541d
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 23

9 years ago
http://hg.mozilla.org/tracemonkey/rev/4fc08ad56525

/cvsroot/mozilla/js/tests/js1_8/regress/regress-457065-01.js,v  <--  regress-457065-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_8/regress/regress-457065-02.js,v  <--  regress-457065-02.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-457065-03.js,v  <--  regress-457065-03.js
initial revision: 1.1
Flags: in-testsuite+
Verified fixed with testcase in comment 0 with the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
You need to log in before you can comment on or make changes to this bug.