477351 - Assertion failure: cx->bailExit (from js_ReportAllocationOverflow from js_ConcatStrings)

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Bob Clary [:bc] (inactive)]

bug 462027 regressed this.

<http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5/Regress/regress-3649-n.js;language=type;text/javascript;jit>

browser only.

Assertion failure: cx->bailExit, at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4631
Trace/breakpoint trap

Comment 1

[Robert Sayre]

Jason, any updates here?

Comment 2

[Andreas Gal :gal]

This doesn't assert for me with a fairly recent minefield build. Rebuilding the browser and will test with tip in a sec.

Comment 3

[Bob Clary [:bc] (inactive)]

This may be fixed. I'll bisect and look for the fixor. Another test where this assert appeared (but may be fixed is <http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5%2FGC%2Fregress-319980-01.js;language=type;text/javascript> )

Comment 4

[Jason Orendorff [:jorendorff]]

#0  JS_Assert (s=0xb7f5caf2 "cx->bailExit", file=0xb7f5ada0 "/home/jorendorff/dev/tm-browser/js/src/jstracer.cpp", ln=4640) at /home/jorendorff/dev/tm-browser/js/src/jsutil.cpp:63
#1  0xb7ed3b58 in js_DeepBail (cx=0xb0f23800) at /home/jorendorff/dev/tm-browser/js/src/jstracer.cpp:4640
#2  0xb7dda819 in js_LeaveTrace (cx=0xb0f23800) at /home/jorendorff/dev/tm-browser/js/src/jscntxt.h:1424
#3  0xb7dda830 in js_GetTopStackFrame (cx=0xb0f23800) at /home/jorendorff/dev/tm-browser/js/src/jscntxt.h:1448
#4  0xb7ddbcdc in PopulateReportBlame (cx=0xb0f23800, report=0xbf82d7d0) at /home/jorendorff/dev/tm-browser/js/src/jscntxt.cpp:1004
#5  0xb7ddbfd1 in js_ReportErrorNumberVA (cx=0xb0f23800, flags=0, callback=0xb7dda7a1 <js_GetErrorMessage>, userRef=0x0, errorNumber=6, charArgs=1, ap=0xbf82d860 "????????\230?\202??\r?")
    at /home/jorendorff/dev/tm-browser/js/src/jscntxt.cpp:1296
#6  0xb7db7505 in JS_ReportErrorNumber (cx=0xb0f23800, errorCallback=0xb7dda7a1 <js_GetErrorMessage>, userRef=0x0, errorNumber=6) at /home/jorendorff/dev/tm-browser/js/src/jsapi.cpp:5749
#7  0xb7ddb1ee in js_ReportAllocationOverflow (cx=0xb0f23800) at /home/jorendorff/dev/tm-browser/js/src/jscntxt.cpp:1072
#8  0xb7ea0dee in js_NewString (cx=0xb0f23800, chars=0x2b700000, length=536870912) at /home/jorendorff/dev/tm-browser/js/src/jsstr.cpp:2824
#9  0xb7ea364e in js_ConcatStrings (cx=0xb0f23800, left=0xad5d1868, right=0xad5d1868) at /home/jorendorff/dev/tm-browser/js/src/jsstr.cpp:169
#10 0xad8fbfb0 in ?? ()

Comment 5

[Jason Orendorff [:jorendorff]]

On Mac, the browser hangs instead of asserting; that is, we never get this far.  I'm surprised we ever get this on Linux, to be honest.  But it's definitely a bug.

Comment 6

[Jason Orendorff [:jorendorff]]

Attachment: v1

Comment 7

[Jason Orendorff [:jorendorff]]

With the patch, the first test fails instead of asserting.

I think the expected behavior has changed out from under the test.

Comment 8

[Jason Orendorff [:jorendorff]]

Comment on attachment 363957 [details] [diff] [review]
v1

Second test passes too.

Incidentally, that test may give the impression it's doing a lot of hard work, but mostly it's just sitting around for 45 seconds at a time doing nothing.

Comment 9

[Carsten Book [:Tomcat]]

Attachment: another testcase from pcworld.com.cn

another testcase - i found this during the Topsite Testruns on pcworld.com.cn 

(Jason let me know if i should file another bug for this)

Loading the Testcase cause:

Assertion failure: cx->bailExit, at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
62	    abort();
(gdb) bt
#0  JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
#1  0x0037d78a in js_DeepBail (cx=0x12e1e00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638
#2  0x002f0af4 in js_LeaveTrace (cx=0x12e1e00) at jscntxt.h:1418
#3  0x002f0b07 in js_GetTopStackFrame (cx=0x12e1e00) at jscntxt.h:1442
#4  0x002f5520 in InferFlags (cx=0x12e1e00, defaultFlags=65535) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:2090
#5  0x002f7868 in js_LookupPropertyWithFlags (cx=0x12e1e00, obj=0x14df8888, id=8385124, flags=65535, objp=0xbfff9490, propp=0xbfff948c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3624
#6  0x002fbd41 in js_GetPropertyHelper (cx=0x12e1e00, obj=0x14df8888, id=8385124, vp=0xbfff953c, entryp=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3979
#7  0x002fc170 in js_GetProperty (cx=0x12e1e00, obj=0x14df8888, id=8385124, vp=0xbfff953c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4065
#8  0x002fedcd in js_TryMethod (cx=0x12e1e00, obj=0x14df8888, atom=0x7ff264, argc=0, argv=0x0, rval=0xbfff9590) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:5194
#9  0x002fef3e in js_DefaultValue (cx=0x12e1e00, obj=0x14df8888, hint=JSTYPE_STRING, vp=0xbfff9798) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4415
#10 0x00349261 in ArgToRootedString (cx=0x12e1e00, argc=2, vp=0xbfff9798, arg=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:257
#11 0x0035105a in match_or_replace (cx=0x12e1e00, glob=0x352f32 <replace_glob>, destroy=0x34a0ba <replace_destroy>, data=0xbfff96ec, argc=2, vp=0xbfff9790) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1291
#12 0x00352a27 in js_StringReplaceHelper (cx=0x12e1e00, argc=2, lambda=0x0, repstr=0x1494a340, vp=0xbfff9790) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1851
#13 0x00352c85 in String_p_replace_str (cx=0x12e1e00, str=0x1494d9c0, regexp=0x14df8888, repstr=0x1494a340) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1785
#14 0x001a7f74 in ?? ()
#15 0xbfffbe28 in ?? ()
#16 0x003a38e6 in js_MonitorLoopEdge (cx=0x12e1e00, inlineCallCount=@0xbfffc248) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4228
#17 0x002bd88a in js_Interpret (cx=0x12e1e00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3111
#18 0x002e310d in js_Execute (cx=0x12e1e00, chain=0x141de7e0, script=0x1684e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1567
#19 0x0026ec2b in JS_EvaluateUCScriptForPrincipals (cx=0x12e1e00, obj=0x141de7e0, principals=0x1644def4, chars=0x168b008, length=2626, filename=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html", lineno=108, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5249
#20 0x0bbbbe7b in nsJSContext::EvaluateString (this=0x143f6e50, aScript=@0xbfffc884, aScopeObject=0x141de7e0, aPrincipal=0x1644def0, aURL=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html", aLineNo=108, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc804) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1594
#21 0x0b99a70e in nsScriptLoader::EvaluateScript (this=0x1744f3b0, aRequest=0x10a9cbe0, aScript=@0xbfffc884) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671
#22 0x0b99aade in nsScriptLoader::ProcessRequest (this=0x1744f3b0, aRequest=0x10a9cbe0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585
#23 0x0b99bd78 in nsScriptLoader::ProcessScriptElement (this=0x1744f3b0, aElement=0x10e00714) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:539
#24 0x0b997508 in nsScriptElement::MaybeProcessScript (this=0x10e00714) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193
#25 0x0ba6bd47 in nsHTMLScriptElement::MaybeProcessScript (this=0x10e006f0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547
#26 0x0ba6ae27 in nsHTMLScriptElement::DoneAddingChildren (this=0x10e006f0, aHaveNotified=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484
#27 0x0ba9ad69 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x14d9000, content=0x10e006f0, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3134
#28 0x0ba9c587 in SinkContext::CloseContainer (this=0x10accbf0, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1023
#29 0x0ba9ca45 in HTMLContentSink::CloseContainer (this=0x14d9000, aTag=eHTMLTag_script) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2389
#30 0x13e56bf8 in CNavDTD::CloseContainer (this=0x10e31740, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2798
#31 0x13e579d8 in CNavDTD::HandleEndToken (this=0x10e31740, aToken=0x167f520) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1677
#32 0x13e5ac44 in CNavDTD::HandleToken (this=0x10e31740, aToken=0x167f520, aParser=0x10a907b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:761
#33 0x13e53f6a in CNavDTD::BuildModel (this=0x10e31740, aParser=0x10a907b0, aTokenizer=0xf706200, anObserver=0x0, aSink=0x14d9090) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:333
#34 0x13e66a81 in nsParser::BuildModel (this=0x10a907b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2384
#35 0x13e6ac21 in nsParser::ResumeParse (this=0x10a907b0, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257
#36 0x13e6a536 in nsParser::OnDataAvailable (this=0x10a907b0, request=0x10a8cf20, aContext=0x0, pIStream=0x10a8d35c, sourceOffset=0, aLength=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2910
#37 0x0cfd7f5f in nsDocumentOpenInfo::OnDataAvailable (this=0x10a8d150, request=0x10a8cf20, aCtxt=0x0, inStr=0x10a8d35c, sourceOffset=0, count=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306
#38 0x00ca0c44 in nsBaseChannel::OnDataAvailable (this=0x10a8cef0, request=0x10a8d2c0, ctxt=0x0, stream=0x10a8d35c, offset=0, count=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708
#39 0x00cb44df in nsInputStreamPump::OnStateTransfer (this=0x10a8d2c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#40 0x00cb4fe8 in nsInputStreamPump::OnInputStreamReady (this=0x10a8d2c0, stream=0x10a8d35c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#41 0x00506adc in nsInputStreamReadyEvent::Run (this=0x10a8d1e0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#42 0x005393ea in nsThread::ProcessNextEvent (this=0x815c70, mayWait=0, result=0xbfffd564) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#43 0x004c2b3a in NS_ProcessPendingEvents_P (thread=0x815c70, timeout=20) at nsThreadUtils.cpp:180
#44 0x09936c41 in nsBaseAppShell::NativeEventCallback (this=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#45 0x098eda4a in nsAppShell::ProcessGeckoEvents (aInfo=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381
#46 0x90ffa5f5 in CFRunLoopRunSpecific ()
#47 0x90ffacd8 in CFRunLoopRunInMode ()
#48 0x9356b2c0 in RunCurrentEventLoopInMode ()
#49 0x9356b012 in ReceiveNextEventCommon ()
#50 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#51 0x95a6cd7d in _DPSNextEvent ()
#52 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#53 0x95a6566b in -[NSApplication run] ()
#54 0x098eb97a in nsAppShell::Run (this=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700
#55 0x0a5f23fa in nsAppStartup::Run (this=0x84ef40) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#56 0x000bc198 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216
#57 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156

Comment 10

[Bob Clary [:bc] (inactive)]

Assertion failure: cx->bailExit now appears in the shell js1_8_1/trace/trace-test.js on 1.9.1 linux.

I've also seen it recently but not consistently at js1_5/Regress/regress-3649-n.js browser tracemonkey on mac, and js1_5/GC/regress-319980-01.js browser 1.9.2 on linux.

Comment 11

[Jason Orendorff [:jorendorff]]

bc, with or without the patch?

Comment 12

[Carsten Book [:Tomcat]]

(In reply to comment #9)
> Created an attachment (id=364055) [details]
> another testcase from pcworld.com.cn

Note: filed Bug 480147 for this problem

Comment 13

[Bob Clary [:bc] (inactive)]

(In reply to comment #11)
> bc, with or without the patch?

without.

Comment 14

[Jason Orendorff [:jorendorff]]

I don't reproduce either crash (comment 9 or comment 10).

http://hg.mozilla.org/tracemonkey/rev/76910d7fce6d

Comment 15

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/76910d7fce6d

Comment 16

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/1372dbdd3d6a

Comment 17

[Bob Clary [:bc] (inactive)]

v 1.9.1, 1.9.2