Closed Bug 464096 Opened 16 years ago Closed 15 years ago

TM: "Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp" with gc getter

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: graydon)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

crash log
14.46 KB, text/plain
Details 
for (let f in [1,1]);
Object.prototype.__defineGetter__('x', function() gc());
(function() { for each (let j in [1,1,1,1,1]) { var y = .2; } })();

Assertion failure: tm->recoveryDoublePoolPtr > tm->recoveryDoublePool, at ../jstracer.cpp:1255

tracemonkey branch, with -j
The "interpreter macros" patch seems to fix this.
Depends on: imacros
Or maybe not.  imacros has landed and I'm still seeing this on TM branch.
No longer depends on: imacros
Attached file crash log 
This causes a null crash at NativeToValue in opt.
Nominating blocking1.9.1 though it's not exploitable, but rather because it involves gc.
Flags: blocking1.9.1?
Now asserts:

Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp:1314

See bug 473040.
Summary: TM: "Assertion failure: tm->recoveryDoublePoolPtr > tm->recoveryDoublePool" with gc getter → TM: "Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp" with gc getter
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Confirmed.
Assignee: general → gal
#0  js_GC (cx=0x30b870, gckind=GC_NORMAL) at ../jsgc.cpp:3233
#1  0x0001679f in JS_GC (cx=0x30b870) at ../jsapi.cpp:2487
#2  0x00003c7a in GC (cx=0x30b870, argc=0, vp=0x81a020) at ../js.cpp:997
#3  0x000791e0 in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:4996
#4  0x0008a740 in js_Invoke (cx=0x30b870, argc=0, vp=0x81a018, flags=0) at jsinterp.cpp:1336
#5  0x0008a9f6 in js_InternalInvoke (cx=0x30b870, obj=0x26a200, fval=2557640, flags=0, argc=0, argv=0x0, rval=0xbfffc6dc) at jsinterp.cpp:1393
#6  0x0008ac57 in js_InternalGetOrSet (cx=0x30b870, obj=0x26a200, id=2541132, fval=2557640, mode=JSACC_READ, argc=0, argv=0x0, rval=0xbfffc6dc) at jsinterp.cpp:1454
#7  0x0009ca93 in js_NativeGet (cx=0x30b870, obj=0x26a200, pobj=0x26a020, sprop=0x80fc90, vp=0xbfffc6dc) at ../jsobj.cpp:3732
#8  0x000229fb in array_getProperty (cx=0x30b870, obj=0x26a200, id=2541132, vp=0xbfffc6dc) at ../jsarray.cpp:718
#9  0x0008ca85 in CallEnumeratorNext (cx=0x30b870, iterobj=0x26a220, flags=3, rval=0xbfffc6dc) at ../jsiter.cpp:566
#10 0x0008cb95 in js_CallIteratorNext (cx=0x30b870, iterobj=0x26a220, rval=0xbfffc6dc) at ../jsiter.cpp:600
#11 0x00184a53 in js_FastCallIteratorNext (cx=0x30b870, iterobj=0x26a220) at ../jsbuiltins.cpp:258
#12 0x00243ef7 in ?? ()
#13 0xbfffedb8 in ?? ()
#14 0x0013f773 in js_MonitorLoopEdge (cx=0x30b870, inlineCallCount=@0xbffff260) at ../jstracer.cpp:3817
#15 0x0006462d in js_Interpret (cx=0x30b870) at ../jsinterp.cpp:3097
#16 0x0008923c in js_Execute (cx=0x30b870, chain=0x26a000, script=0x30d890, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1564
#17 0x0001a65e in JS_ExecuteScript (cx=0x30b870, obj=0x26a000, script=0x30d890, rval=0x0) at ../jsapi.cpp:5083
#18 0x000083c5 in Process (cx=0x30b870, obj=0x26a000, filename=0xbffffa1c "x.js", forceTTY=0) at ../js.cpp:377
#19 0x000096bc in ProcessArgs (cx=0x30b870, obj=0x26a000, argv=0xbffff920, argc=2) at ../js.cpp:749
#20 0x0000a88b in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../js.cpp:4321

The interpreter is re-entered from within the iterator. This is a dup of 468782.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
$ ./js-dbg-tm-intelmac -j
js> for (let f in [1,1]);
js> Object.prototype.__defineGetter__('x', function() gc());
js> (function() { for each (let j in [1,1,1,1,1]) { var y = .2; } })();
Assertion failure: !JS_ON_TRACE(cx), at ../jsobj.cpp:3709
Trace/BPT trap

Seems to work as expected in opt.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee: gal → graydon
This no longer triggers on TM branch. Bisected down to confirm suspicions; the fix for bug 462027 (jorenedorff's deepbail / reentrancy patch) took care of this. Closing as that bug is also marked fixed. Reopen if this is a misinterpretation of fixed-ness status (that bug is also currently whiteboard fixed-in-tracemonkey).
Status: REOPENED → RESOLVED
Closed: 16 years ago15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/tracemonkey/rev/2869d0deb81b
/cvsroot/mozilla/js/tests/js1_8/regress/regress-464096.js,v  <--  regress-464096.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: