Closed
Bug 464334
Opened 16 years ago
Closed 16 years ago
Assertion failure: (size_t) (fp->regs->sp - fp->slots) <= fp->script->nslots, at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:2800
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
People
(Reporter: smaug, Assigned: igor)
References
Details
(Keywords: testcase, verified1.9.1)
Attachments
(1 file, 1 obsolete file)
|
3.84 KB,
patch
|
igor
:
review+
|
Details | Diff | Splinter Review |
Got the failure while running mochitest.
#0 0x00000032d7097581 in nanosleep () from /lib64/libc.so.6
#1 0x00000032d70973a4 in sleep () from /lib64/libc.so.6
#2 0x00002aaaaaaf4bad in ah_crap_handler (signum=6)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/toolkit/xre/nsSigHandlers.cpp:149
#3 0x00002aaaaaaf576c in nsProfileLock::FatalSignalHandler (signo=6) at nsProfileLock.cpp:216
#4 <signal handler called>
#5 0x00000032d70305c5 in raise () from /lib64/libc.so.6
#6 0x00000032d7032070 in abort () from /lib64/libc.so.6
#7 0x00002aaaaadb0f78 in JS_Assert (s=<value optimized out>, file=<value optimized out>, ln=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsutil.cpp:63
#8 0x00002aaaaad58615 in js_TraceStackFrame (trc=0x7fff1c1d8520, fp=0x89366a0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:2799
#9 0x00002aaaaad58c4e in js_TraceContext (trc=0x7fff1c1d8520, acx=0x216d460)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:2937
#10 0x00002aaaaad58fdd in js_TraceRuntime (trc=0x7fff1c1d8520, allAtoms=1)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:3028
#11 0x00002aaaaad5a254 in js_GC (cx=0x216d460, gckind=GC_LAST_DITCH)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:3418
#12 0x00002aaaaad5b17d in js_NewGCThing (cx=0x216d460, flags=0, nbytes=64)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsgc.cpp:1842
#13 0x00002aaaaad7b39d in js_NewObjectWithGivenProto (cx=0x216d460, clasp=0x2aaaaaff1c80, proto=0xb38da40, parent=0x0,
objectSize=0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:2599
#14 0x00002aaaaad808ef in js_NewObject (cx=0x216d460, clasp=0x2aaaaaff1c80, proto=0xb38da40, parent=0x0, objectSize=0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:2565
#15 0x00002aaaaad80968 in js_PrimitiveToObject (cx=0x216d460, vp=0x7fff1c1d8720)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4870
#16 0x00002aaaaad809de in js_ValueToObject (cx=0x2a35, v=216733348, objp=0x7fff1c1d8750)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4892
#17 0x00002aaaaad80a12 in js_ValueToNonNullObject (cx=0x2a35, v=10805)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4905
#18 0x00002aaaaad5cbba in js_Interpret (cx=0x216d460) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:4208
#19 0x00002aaaaad700cf in js_Invoke (cx=0x216d460, argc=2, vp=0x8936038, flags=0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1324
#20 0x00002aaaaad70522 in js_InternalInvoke (cx=0x216d460, obj=0x4051f00, fval=59205936, flags=0, argc=2, argv=0x695cf90,
rval=0x7fff1c1d8c58) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1381
#21 0x00002aaaaad260ec in JS_CallFunctionValue (cx=0x216d460, obj=0x4051f00, fval=59205936, argc=2, argv=0x695cf90,
rval=0x7fff1c1d8c58) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsapi.cpp:5242
#22 0x00002aaab0b04267 in nsJSContext::CallEventHandler (this=0x216d400, aTarget=<value optimized out>,
aScope=<value optimized out>, aHandler=0x3876930, aargv=0x9a77a68, arv=0x7fff1c1d8dc0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/base/nsJSEnvironment.cpp:1979
#23 0x00002aaab0b1459e in nsGlobalWindow::RunTimeout (this=0x8700f40, aTimeout=0x9a77aa0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/base/nsGlobalWindow.cpp:7674
#24 0x00002aaab0b1876a in nsGlobalWindow::TimerCallback (aTimer=<value optimized out>, aClosure=<value optimized out>)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/src/base/nsGlobalWindow.cpp:8006
#25 0x00002aaaab27f1df in nsTimerImpl::Fire (this=0x9a77b00)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/threads/nsTimerImpl.cpp:420
#26 0x00002aaaab27fcfc in nsTimerEvent::Run (this=0x2aaac07bddd0)
at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/threads/nsTimerImpl.cpp:512
|
Assignee | |
Comment 1•16 years ago
|
||
Is this reproducible?
|
Reporter | |
Comment 2•16 years ago
|
||
Yes, this happens with test_value_storage.html
|
|
Reporter | |
Comment 3•16 years ago
|
||
..at least on 64bit linux / debug build.
|
|
Assignee | |
Updated•16 years ago
|
Assignee: general → igor
|
|
Assignee | |
Comment 4•16 years ago
|
||
This is a regression from bug 462265. The code assumes in few places that the sp register stays within [spbase, spbase+stackDepth] but the JSOP_APPLY violates this when it roots the apply arguments.
Blocks: 462265
|
|
Assignee | |
Comment 5•16 years ago
|
||
Here is a test case to demonstrate the issue in JS shell:
~/m/31-ff/js/src $ cat ~/s/x.js
function g()
{
gc();
}
var a = [];
for (var i = 0; i != 20; ++i)
a.push(i);
g.apply(this, a);
~/m/31-ff/js/src $ ./dbg/js ~/s/x.js
Assertion failure: (size_t) (fp->regs->sp - fp->slots) <= fp->script->nslots, at ../jsgc.cpp:2800
aborted|
|
Reporter | |
Comment 6•16 years ago
|
||
Is this something we should try fix before b2? I've seen some random crashes lately, not sure if it is because of this. At least this make running mochitest a bit difficult.
Flags: blocking1.9.1?
Target Milestone: --- → mozilla1.9.1b2
|
|
Assignee | |
Comment 7•16 years ago
|
||
(In reply to comment #6) > Is this something we should try fix before b2? The assert shows that the stack patching and regs.sp manipulations to expand the apply's array into stack may have unexpected consequences especially for the decompiler. Until we get the clear picture, this should block b2.
|
|
Assignee | |
Comment 8•16 years ago
|
||
AFAICS the assert is harmless. The code does not relies on no longer valid invariant that the current stack depth cannot exceed the static stack depth. So the patch removes the checks for the invariant an adjusts the comments.
Attachment #347772 -
Flags: review?(brendan)
|
||
Updated•16 years ago
|
Attachment #347772 -
Flags: review?(brendan) → review+
|
|
||
Comment 9•16 years ago
|
||
Comment on attachment 347772 [details] [diff] [review] fix v1 >+ * The value comes from a temporary slot that the interpreter >+ * uses for GC roots or when JSOP_APPLY expanded the stack to s/expanded/extended/ >+ * fit the argument array elements. Assume that it is fp->pc s/fp->pc/fp->regs->pc/ r=me with those -- sad to lose assertions, maybe we can get a better (single-allocation) stack and care less. /be
|
|
Assignee | |
Comment 10•16 years ago
|
||
Comment on attachment 347772 [details] [diff] [review] fix v1 Nominating b2: the bug fixes the regression that prevents running mochitests for a debug build.
Attachment #347772 -
Flags: approval1.9.1b2?
|
||
Updated•16 years ago
|
Attachment #347772 -
Flags: approval1.9.1b2? → approval1.9.1b2+
|
|
||
Comment 11•16 years ago
|
||
Comment on attachment 347772 [details] [diff] [review] fix v1 a=beltzner
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Target Milestone: mozilla1.9.1b2 → mozilla1.9.1
|
|
Assignee | |
Comment 12•16 years ago
|
||
Here is the patch to land with the comment fixes.
Attachment #347772 -
Attachment is obsolete: true
Attachment #348205 -
Flags: review+
|
|
Assignee | |
Comment 13•16 years ago
|
||
landed - http://hg.mozilla.org/mozilla-central/rev/afce0368f8f0
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 14•16 years ago
|
||
test landed http://hg.mozilla.org/mozilla-central/rev/00b405fe2511 and cvs
Flags: in-testsuite+
Flags: in-litmus-
|
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•