Closed Bug 462989 Opened 16 years ago Closed 16 years ago

Assertion failed: "need a way to EOT now, since this is trace end"

Categories

(Core :: JavaScript Engine, defect, P1)

x86
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: jruderman, Unassigned)

References

()

Details

(4 keywords)

Loading http://www.slate.com/id/2203120/ in mozilla-central triggers:

Assertion failed: "need a way to EOT now, since this is trace end": 0 (/Users/jruderman/central/js/src/nanojit/LIR.cpp:944)
OS Version:      Mac OS X 10.5.5 (9F33)
Report Version:  6

Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000002, 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   libmozjs.dylib                	0x0030b0b5 NanoAssertFail() + 7
1   libmozjs.dylib                	0x00301c88 nanojit::ExprFilter::insGuard(nanojit::LOpcode, nanojit::LIns*, nanojit::LIns*) + 196 (LIR.cpp:946)
2   libmozjs.dylib                	0x002ed943 nanojit::LirWriter::insGuard(nanojit::LOpcode, nanojit::LIns*, nanojit::LIns*) + 51 (LIR.h:560)
3   libmozjs.dylib                	0x002d32e5 TraceRecorder::guard(bool, nanojit::LIns*, nanojit::LIns*) + 83 (jstracer.cpp:1890)
4   libmozjs.dylib                	0x002de5cc TraceRecorder::guard(bool, nanojit::LIns*, nanojit::ExitType) + 60 (jstracer.cpp:1898)
5   libmozjs.dylib                	0x002dfacf TraceRecorder::getThis(nanojit::LIns*&) + 149 (jstracer.cpp:4694)
6   libmozjs.dylib                	0x002dfb08 TraceRecorder::record_JSOP_THIS() + 24 (jstracer.cpp:6306)
7
Breakpoint 2, TraceRecorder::record_JSOP_CALLNAME (this=0x1dacf7c0) at /Users/gal/workspace/tracemonkey-repository/js/src/jstracer.cpp:5904
5904	        stack(1, INS_CONSTPTR(NULL));
(gdb) n
5905	        return true;
(gdb) 
5921	}
(gdb) 
js_Interpret (cx=0xf2b400) at /Users/gal/workspace/tracemonkey-repository/js/src/jsinterp.cpp:5224
5224	          BEGIN_CASE(JSOP_CALLNAME)
(gdb) 
5228	            obj = fp->scopeChain;
(gdb) 
5229	            if (JS_LIKELY(OBJ_IS_NATIVE(obj))) {
(gdb) 
5230	                PROPERTY_CACHE_TEST(cx, regs.pc, obj, obj2, entry, atom);
(gdb) 
5231	                if (!atom) {
(gdb) 
5233	                    if (PCVAL_IS_OBJECT(entry->vword)) {
(gdb) 
5234	                        rval = PCVAL_OBJECT_TO_JSVAL(entry->vword);
(gdb) 
5235	                        JS_UNLOCK_OBJ(cx, obj2);
(gdb) 
5285	            PUSH_OPND(rval);
(gdb) 
5286	            if (op == JSOP_CALLNAME)
(gdb) 
5287	                PUSH_OPND(OBJECT_TO_JSVAL(obj));
(gdb) p obj
$3 = (JSObject *) 0x16244280
(gdb)
In JSOP_CALLNAME the tracer stacks a constant NULL, whereas the interpreter stacks a non-null object. This disagreement eventually triggers the assert.
This has to be fixed before b2. Jesse is trying to isolate a test case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b2
http://hg.mozilla.org/tracemonkey/rev/c49d5763882e
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
function a()
{
	"".split(";");
	this.v = true;
}

function b()
{	
  var z = { t: function() { for (var i = 0; i < 5; i++) { a(); } } };
	z.t();
}

b();
Ah nice. Thanks.
Patch that landed looks good to me.

/be
Depends on: 463259
(In reply to comment #8)
> Patch that landed looks good to me.

Missed the problem reported at bug 463259.

/be
http://hg.mozilla.org/mozilla-central/rev/37b3fdbb0f07
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-462989.js,v  <--  regress-462989.js
initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-
verified fixed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081111 Minefield/3.1b2pre and a crash url http://www.slate.com/blogs/blogs/xxfactor/archive/2008/11/06/palin-in-12.aspx?GT1=38001 from my global topsites that crashed also before.

No crash on Testurl -> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: crash
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Keywords: verified1.9.1
Keywords: fixed1.9.1
You need to log in before you can comment on or make changes to this bug.