TM: Crash [@ js_ErrorFromException] or [@ js_Interpret] and "Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp"

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
9 years ago
7 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla1.9.2a1
x86
Mac OS X
assertion, crash, testcase, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

9 years ago
$ cat a.js 
function a1(){}
a2 = a1;
a3 = a1;
a4 = a1;
c1 = toString;
c2 = toSource;
function foo(code)
{
  (new Function(code))();
  delete toSource;
  delete toString;
  toSource = c2;
  toString = c1;
}
let z;
for (z = 1; z <= 16322; ++z) {
  this.__defineGetter__('functional', function x(){ yield; } );
  foo("this.__defineSetter__('', function(){});");
  foo("for each (y in this);");
}
$ time ./js-dbg-tm-intelmac -j a.js 
Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp:1595
Trace/BPT trap

real    0m27.089s
user    0m22.217s
sys     0m0.448s

===

Bug 476414 introduced this assertion. I reduced Jesse's testcase there to the above 20-liner. The loop for some reason requires 16322 iterations to cause the assertion. This seems to work as expected without -j and also in opt, both with and without -j.
Flags: blocking1.9.1?
(Reporter)

Comment 1

9 years ago
With TRACEMONKEY=verbose,

/snip
fragment 0x25658c:
ENTRY: S0 S0 S0 S0 G0 
recording completed at a.js:9@6 via closeLoop
Looking for compat peer 9@6, from 0x25658c (ip: 0x30208502, hits=4)
checking vm types 0x25658c (ip: 0x30208502): callee0=O/O this0=O/O stack0=O/O stack1=O/O global0=O/O 
entering trace at a.js:9@6, native stack slots: 5 code: 0x257e80
global: object<0x299700:Function> 
stack: callee0=object<0x2f81bb98:Function> this0=object<0x293000:global> stack0=object<0x2f81a9e0:Iterator> stack1=object<0x299700:Function> 
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
Internal error: getting top stack frame on trace.
leaving trace at a.js:9@9, op=nextiter, lr=0x256794, exitType=3, sp=2, calldepth=0, cycles=113333
Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp:1595
Trace/BPT trap

real    11m2.024s
user    2m49.499s
sys     1m36.572s
covered by js1_8/extensions/regress-455973.js
(Reporter)

Comment 3

9 years ago
__proto__.__defineGetter__("", eval);
try {
  (function(){for each (x in [{}, true, {}, true]) function(){}})();
} catch(runError){}
throw x;

crashes TM opt near null at js_ErrorFromException and asserts debug TM identically. I've seen variants that crash this near null at js_Interpret too.
Keywords: crash
Summary: TM: "Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp" → TM: Crash [@ js_ErrorFromException] or [@ js_Interpret] and "Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp"

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2

Comment 4

9 years ago
WFM with TM tip.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 5

9 years ago
(In reply to comment #4)
> WFM with TM tip.

Verifying WFM with testcases in comment #0 and comment #3.
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
(Reporter)

Comment 6

9 years ago
-> Fixed by bug 462027.

See:
https://bugzilla.mozilla.org/show_bug.cgi?id=475144#c9
Resolution: WORKSFORME → FIXED
note to self: js1_8/extensions/regress-455973.js still asserts on tracemonkey. check if bug 476869 will resolve it.
http://hg.mozilla.org/mozilla-central/rev/2c652822ca7c
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-

Updated

9 years ago
Keywords: fixed1.9.1
Verified fixed with testcase in comment 0 with the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ js_ErrorFromException] [@ js_Interpret]
You need to log in before you can comment on or make changes to this bug.