TM: "Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp" with gczeal, proto, iterator

VERIFIED FIXED

Status

()

Core
JavaScript Engine
P2
critical
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, {assertion, testcase, verified1.9.1})

Trunk
x86
Mac OS X
assertion, testcase, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

9 years ago
function f()
{
  (new Function("gczeal(1); for each (let y in [/x/,'',new Boolean(false),new Boolean(false),new Boolean(false),'',/x/,new Boolean(false),new Boolean(false)]){}"))();
}
__proto__.__iterator__ = this.__defineGetter__("", function(){})
f();

Bug 462027 didn't seemingly fix this one. This seems to work as expected in TM opt (I never tested when gczeal is enabled in opt) but asserts TM debug at Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp:1595

===

/snip
    0x258f48  [epilogue]                     
              mov esp,ebp                    
              pop ebp                        
              pop ebp                        
              pop ebx                        
              pop esi                        
              pop edi                        
              ret                            
patching jump at 0x2baffb to target 0x258ead (was 0x258ff8)

Joining type-stable trace to target exit 0x259004->0x259330.
fragment 0x259004:
ENTRY: S0 S5 S4 S0 S0 
fragment 0x259370:
ENTRY: S0 S5 S0 S0 S0 
recording completed at typein:3@67 via closeLoop
Looking for compat peer 3@67, from 0x259004 (ip: 0x30ea33, hits=3)
checking vm types 0x259004 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/S string != tag0
checking vm types 0x259370 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/O stack1=O/O stack2=O/O 
entering trace at typein:3@67, native stack slots: 7 code: 0x258ea0
stack: callee0=object<0x29aab8:Function> this0=stack0=object<0x294360:Boolean> stack1=object<0x294420:Iterator> stack2=object<0x294380:Boolean> 
leaving trace at typein:3@70, op=nextiter, lr=0x2595d8, exitType=9, sp=3, calldepth=0, cycles=41987

callee0=object<0x29aab8:Function> this0=null<0x0> stack0=object<0x294380:Boolean> stack1=object<0x294420:Iterator> stack2=box<10> 
Looking for compat peer 3@67, from 0x259004 (ip: 0x30ea33, hits=3)
checking vm types 0x259004 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/S string != tag0
checking vm types 0x259370 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/O stack1=O/O stack2=O/O 
entering trace at typein:3@67, native stack slots: 7 code: 0x258ea0
Bus error
Flags: blocking1.9.1?
Blocks, though shaver believes it's already fixed on t-m
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Gary was testing TM after the bug 469027 patch landed, and in comment 0 he said opt seemed to work but debug asserted. So something's up still.

/be
(Assignee)

Updated

9 years ago
Assignee: general → gal
(Assignee)

Comment 3

9 years ago
Working on this bug. Will have an update soon.
(Reporter)

Comment 4

9 years ago
(In reply to comment #2)
> Gary was testing TM after the bug 469027 patch landed, and in comment 0 he said
> opt seemed to work but debug asserted. So something's up still.

Yes, Brendan's right. I re-tested (again) with TM tip, and I still assert with debug TM.

Verbose output changed slightly:

===
/snip
Joining type-stable trace to target exit 0x259004->0x259330.
fragment 0x259004:
ENTRY: S0 S5 S4 S0 S0 
fragment 0x259370:
ENTRY: S0 S5 S0 S0 S0 
recording completed at typein:3@67 via closeLoop
Looking for compat peer 3@67, from 0x259004 (ip: 0x30ea33, hits=3)
checking vm types 0x259004 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/S string != tag0
checking vm types 0x259370 (ip: 0x30ea33): callee0=O/O this0=O/N stack0=O/O stack1=O/O stack2=O/O 
entering trace at typein:3@67, native stack slots: 7 code: 0x258ea0
stack: callee0=object<0x29aab8:Function> this0=stack0=object<0x294360:Boolean> stack1=object<0x294420:Iterator> stack2=object<0x294380:Boolean> 
leaving trace at typein:3@70, op=nextiter, lr=0x2595d8, exitType=9, sp=3, calldepth=0, cycles=27599

Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp:1584
Trace/BPT trap
(Assignee)

Comment 5

9 years ago
(gdb) r -j x.js
Starting program: /Users/gal/workspace/tracemonkey-repository/js/src/Darwin_DBG.OBJ/js -j x.js
Reading symbols for shared libraries +++++....................................................................... done
Assertion failure: v != JSVAL_ERROR_COOKIE, at ../jstracer.cpp:1586

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x1a7872 "v != JSVAL_ERROR_COOKIE", file=0x1a629c "../jstracer.cpp", ln=1586) at ../jsutil.cpp:63
63	    abort();
(gdb) bt
#0  JS_Assert (s=0x1a7872 "v != JSVAL_ERROR_COOKIE", file=0x1a629c "../jstracer.cpp", ln=1586) at ../jsutil.cpp:63
#1  0x001252cb in NativeToValue (cx=0x30bc80, v=@0x81473c, type=3 '\003', slot=0xbfffcca8) at ../jstracer.cpp:1586
#2  0x00125829 in FlushNativeStackFrame (cx=0x30bc80, callDepth=0, mp=0x26260c "\003", np=0xbfffcca8, stopFrame=0x0) at ../jstracer.cpp:1667
#3  0x0012669a in LeaveTree (state=@0xbfffed88, lr=0x2625d8) at ../jstracer.cpp:4167
#4  0x00126f27 in js_ExecuteTree (cx=0x30bc80, f=0x262370, inlineCallCount=@0xbffff2a0, innermostNestedGuardp=0xbfffee68) at ../jstracer.cpp:3975
#5  0x0014b641 in js_MonitorLoopEdge (cx=0x30bc80, inlineCallCount=@0xbffff2a0) at ../jstracer.cpp:4270
#6  0x000691dc in js_Interpret (cx=0x30bc80) at ../jsinterp.cpp:3108
#7  0x0008fe7e in js_Execute (cx=0x30bc80, chain=0x29d000, script=0x30dc90, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1565
#8  0x00010cfc in JS_ExecuteScript (cx=0x30bc80, obj=0x29d000, script=0x30dc90, rval=0x0) at ../jsapi.cpp:5150
#9  0x000096b8 in Process (cx=0x30bc80, obj=0x29d000, filename=0xbffffa1c "x.js", forceTTY=0) at ../../shell/js.cpp:407
#10 0x0000a32a in ProcessArgs (cx=0x30bc80, obj=0x29d000, argv=0xbffff920, argc=2) at ../../shell/js.cpp:791
#11 0x0000a5c6 in main (argc=2, argv=0xbffff920, envp=0xbffff92c) at ../../shell/js.cpp:4558
(gdb) up
#1  0x001252cb in NativeToValue (cx=0x30bc80, v=@0x81473c, type=3 '\003', slot=0xbfffcca8) at ../jstracer.cpp:1586
1586	        JS_ASSERT(v != JSVAL_ERROR_COOKIE); /* don't leak JSVAL_ERROR_COOKIE */
(gdb) list
1581	        JS_ASSERT(JSVAL_TAG(v) == JSVAL_STRING); /* if this fails the pointer was not aligned */
1582	        debug_only_v(printf("string<%p> ", *(JSString**)slot);)
1583	        break;
1584	      case JSVAL_BOXED:
1585	        v = *(jsval*)slot;
1586	        JS_ASSERT(v != JSVAL_ERROR_COOKIE); /* don't leak JSVAL_ERROR_COOKIE */
1587	        debug_only_v(printf("box<%lx> ", v));
1588	        break;
1589	      case JSVAL_TNULL:
1590	        JS_ASSERT(*(JSObject**)slot == NULL);
(gdb) up
#2  0x00125829 in FlushNativeStackFrame (cx=0x30bc80, callDepth=0, mp=0x26260c "\003", np=0xbfffcca8, stopFrame=0x0) at ../jstracer.cpp:1667
1667	    FORALL_SLOTS_IN_PENDING_FRAMES(cx, callDepth,
(gdb) up
#3  0x0012669a in LeaveTree (state=@0xbfffed88, lr=0x2625d8) at ../jstracer.cpp:4167
4167	                              stack, NULL);
(gdb) p bs
$1 = 2
(gdb) p bailed
$2 = false
(gdb) 

We are coming out of a gczeal-induced out of memory failure inn CallIteratorNext_tn and try to write back the return value of CallIteratorNext_tn, which is JSVAL_ERROR_COOKIE in the error case. That somehow escapes to the stack. We should not ever write JSVAL_ERROR_COOKIE to the stack. I made it assert now. Need a little help from jorendorff to proceed further.
(Assignee)

Comment 6

9 years ago
I think P2 is fine for now but will try to fix for b3.
(Assignee)

Comment 7

9 years ago
Created attachment 360800 [details] [diff] [review]
Fall of trace if we can instead of aborting when trying to GC.
Attachment #360800 - Flags: review?(jorendorff)
Attachment #360800 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 8

9 years ago
Pushed to TM.

http://hg.mozilla.org/tracemonkey/rev/21494181fdb8
Whiteboard: fixed-in-tracemonkey
(Assignee)

Comment 9

9 years ago
Created attachment 360932 [details] [diff] [review]
v2, don't refer to cx->bailExit if JS_TRACER is not defined
Attachment #360800 - Attachment is obsolete: true
(Assignee)

Updated

9 years ago
Attachment #360932 - Flags: review?(jorendorff)
Attachment #360932 - Flags: review?(jorendorff) → review+
Comment on attachment 360932 [details] [diff] [review]
v2, don't refer to cx->bailExit if JS_TRACER is not defined

r+ with the different wording for js_CanLeaveTrace you posted on IRC.

Comment 12

9 years ago
http://hg.mozilla.org/mozilla-central/rev/554a9c54c00c
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 13

9 years ago
http://hg.mozilla.org/mozilla-central/rev/97784e410188
Flags: in-testsuite+
Flags: in-litmus-

Comment 15

9 years ago
js1_8/extensions/regress-476869.js
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in before you can comment on or make changes to this bug.