Closed Bug 462989 Opened 17 years ago Closed 17 years ago

Assertion failed: "need a way to EOT now, since this is trace end"

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: jruderman, Unassigned)

References

(
URL
)

Details

(4 keywords)

Loading http://www.slate.com/id/2203120/ in mozilla-central triggers: Assertion failed: "need a way to EOT now, since this is trace end": 0 (/Users/jruderman/central/js/src/nanojit/LIR.cpp:944)
OS Version: Mac OS X 10.5.5 (9F33) Report Version: 6 Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000002, 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 libmozjs.dylib 0x0030b0b5 NanoAssertFail() + 7 1 libmozjs.dylib 0x00301c88 nanojit::ExprFilter::insGuard(nanojit::LOpcode, nanojit::LIns*, nanojit::LIns*) + 196 (LIR.cpp:946) 2 libmozjs.dylib 0x002ed943 nanojit::LirWriter::insGuard(nanojit::LOpcode, nanojit::LIns*, nanojit::LIns*) + 51 (LIR.h:560) 3 libmozjs.dylib 0x002d32e5 TraceRecorder::guard(bool, nanojit::LIns*, nanojit::LIns*) + 83 (jstracer.cpp:1890) 4 libmozjs.dylib 0x002de5cc TraceRecorder::guard(bool, nanojit::LIns*, nanojit::ExitType) + 60 (jstracer.cpp:1898) 5 libmozjs.dylib 0x002dfacf TraceRecorder::getThis(nanojit::LIns*&) + 149 (jstracer.cpp:4694) 6 libmozjs.dylib 0x002dfb08 TraceRecorder::record_JSOP_THIS() + 24 (jstracer.cpp:6306) 7
Breakpoint 2, TraceRecorder::record_JSOP_CALLNAME (this=0x1dacf7c0) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5904 5904 stack(1, INS_CONSTPTR(NULL)); (gdb) n 5905 return true; (gdb) 5921 } (gdb) js_Interpret (cx=0xf2b400) at /Users/gal/workspace/tracemonkey-repository/js/src/jsinterp.cpp:5224 5224 BEGIN_CASE(JSOP_CALLNAME) (gdb) 5228 obj = fp->scopeChain; (gdb) 5229 if (JS_LIKELY(OBJ_IS_NATIVE(obj))) { (gdb) 5230 PROPERTY_CACHE_TEST(cx, regs.pc, obj, obj2, entry, atom); (gdb) 5231 if (!atom) { (gdb) 5233 if (PCVAL_IS_OBJECT(entry->vword)) { (gdb) 5234 rval = PCVAL_OBJECT_TO_JSVAL(entry->vword); (gdb) 5235 JS_UNLOCK_OBJ(cx, obj2); (gdb) 5285 PUSH_OPND(rval); (gdb) 5286 if (op == JSOP_CALLNAME) (gdb) 5287 PUSH_OPND(OBJECT_TO_JSVAL(obj)); (gdb) p obj $3 = (JSObject *) 0x16244280 (gdb)
In JSOP_CALLNAME the tracer stacks a constant NULL, whereas the interpreter stacks a non-null object. This disagreement eventually triggers the assert.
This has to be fixed before b2. Jesse is trying to isolate a test case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b2
http://hg.mozilla.org/tracemonkey/rev/c49d5763882e
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
function a() { "".split(";"); this.v = true; } function b() { var z = { t: function() { for (var i = 0; i < 5; i++) { a(); } } }; z.t(); } b();
Keywords: testcase-wantedtestcase
Ah nice. Thanks.
Patch that landed looks good to me. /be
Depends on: 463259
(In reply to comment #8) > Patch that landed looks good to me. Missed the problem reported at bug 463259. /be
http://hg.mozilla.org/mozilla-central/rev/37b3fdbb0f07 /cvsroot/mozilla/js/tests/js1_5/Regress/regress-462989.js,v <-- regress-462989.js initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081111 Minefield/3.1b2pre and a crash url http://www.slate.com/blogs/blogs/xxfactor/archive/2008/11/06/palin-in-12.aspx?GT1=38001 from my global topsites that crashed also before. No crash on Testurl -> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: crash
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Keywords: verified1.9.1
Keywords: fixed1.9.1
You need to log in before you can comment on or make changes to this bug.