Closed Bug 477733 Opened 12 years ago Closed 12 years ago

"Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on sites that use ShareThis

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: jimb)

References

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 1 obsolete file)

Loading http://www.laptopmag.com/advice/how-to/msi-wind-ram.aspx in a debug build triggers:

Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS), at /Users/jruderman/tracemonkey/js/src/jstracer.cpp:3174

This happens on both mozilla-central and tracemonkey branch.

Also happens on http://fuckyoupenguin.blogspot.com/, in case that's easier to debug or reduce.
This looks related to bug 472450, in that traced code must not run when JSFRAME_POP_BLOCKS is set, but it does.  However, the patch applied in comment 14 of that bug addresses the test case given there, so I don't think this bug should be a duplicate of that.

jorendorff suggested a way to come up with another test case that would produce the assert mentioned above.  If his idea works, I'll put the test case here.
Depends on: upvar2
No longer depends on: upvar2
I wonder why this hasn't been nominated for blocking...
Flags: blocking1.9.1?
We need a testcase to make this blocking. Could you try to capture the page and attach it?
I haven't taken the time to make a testcase because this bug is marked as depending on a blocker, which I took to mean "this is likely to be fixed by that other bug".
At this point we shouldn't just hope I'm right that the fix for bug 452498 will fix this bug. If this bug meets the blocker criteria, then it should be marked blocking and be assigned to someone.

/be
Status: UNCONFIRMED → NEW
Ever confirmed: true
blocking+, Jesse could you get a test case for this?
Flags: blocking1.9.1? → blocking1.9.1+
#0  JS_Assert (s=0x3f70f0 "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3f62cd "../../../js/src/jstracer.cpp", ln=3168) at ../../../js/src/jsutil.cpp:63
#1  0x0037502d in js_SynthesizeFrame (cx=0x1f17aa00, fi=@0x18a853f4) at ../../../js/src/jstracer.cpp:3168
#2  0x00375d86 in LeaveTree (state=@0xbfffcd98, lr=0x18a856c0) at ../../../js/src/jstracer.cpp:4091
#3  0x00376ac1 in js_ExecuteTree (cx=0x1f17aa00, f=0x18a851e0, inlineCallCount=@0xbfffd268, innermostNestedGuardp=0xbfffce78) at ../../../js/src/jstracer.cpp:3968
#4  0x0039c210 in js_MonitorLoopEdge (cx=0x1f17aa00, inlineCallCount=@0xbfffd268) at ../../../js/src/jstracer.cpp:4270
#5  0x002b63a4 in js_Interpret (cx=0x1f17aa00) at ../../../js/src/jsinterp.cpp:3109
so far i have tried the 2 sites and crashed on the real sites, but were not able to crash on the local copy :/ 

i will see if i can get more examples for this crash from my topsite testruns
All three sites use ShareThis.  Here's a testcase that loads the script in a way that triggers the bug.

sharethis.js is full of code that checks the hostname of the script, so reducing it further is going to be tricky.
Aha, got it.  Reduced testcase soon.
Attachment #362620 - Attachment is obsolete: true
Assignee: general → jim
Attached file another testcase
found this testcase during the topsite testing on http://www.christianitytoday.com/

Stack:
Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS), at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3185

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x3fcdfc "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3fc064 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=3185) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:63
63	    abort();
(gdb) bt
#0  JS_Assert (s=0x3fcdfc "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3fc064 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=3185) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:63
#1  0x0037c09f in js_SynthesizeFrame (cx=0x12cd400, fi=@0x1ad81c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3185
#2  0x0037cdf6 in LeaveTree (state=@0xbfffc6b8, lr=0x1adaec) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4109
#3  0x0037db31 in js_ExecuteTree (cx=0x12cd400, f=0xfa23560, inlineCallCount=@0xbfffcb88, innermostNestedGuardp=0xbfffc798) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3986
#4  0x003a384c in js_MonitorLoopEdge (cx=0x12cd400, inlineCallCount=@0xbfffcb88) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4288
#5  0x002bd74c in js_Interpret (cx=0x12cd400) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3109
#6  0x002e2fee in js_Execute (cx=0x12cd400, chain=0xf12fd20, script=0x16c0e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1566
#7  0x0026e94b in JS_EvaluateUCScriptForPrincipals (cx=0x12cd400, obj=0xf12fd20, principals=0xfa0dc34, chars=0xf9ed008, length=25022, filename=0xfa04ac8 "http://w.sharethis.com/widget/?tabs=web%2Cpost%2Cemail&charset=utf-8&services=%2Cdigg%2Cstumbleupon%2Cfacebook%2Cmyspace%2Cdelicious%2Ctechnorati%2Cgoogle_bmarks%2Cyahoo_bmarks%2Cyahoo_myweb%2"..., lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5250
#8  0x0ba5cb25 in nsJSContext::EvaluateString (this=0x141f1e60, aScript=@0xfa024d4, aScopeObject=0xf12fd20, aPrincipal=0xfa0dc30, aURL=0xfa04ac8 "http://w.sharethis.com/widget/?tabs=web%2Cpost%2Cemail&charset=utf-8&services=%2Cdigg%2Cstumbleupon%2Cfacebook%2Cmyspace%2Cdelicious%2Ctechnorati%2Cgoogle_bmarks%2Cyahoo_bmarks%2Cyahoo_myweb%2"..., aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffd144) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1595
#9  0x0b83db06 in nsScriptLoader::EvaluateScript (this=0x1627f7d0, aRequest=0xfa024c0, aScript=@0xfa024d4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671
#10 0x0b83ded6 in nsScriptLoader::ProcessRequest (this=0x1627f7d0, aRequest=0xfa024c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585
#11 0x0b83df62 in nsScriptLoader::ProcessPendingRequests (this=0x1627f7d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:724
#12 0x0b83e2b0 in nsScriptLoader::OnStreamComplete (this=0x1627f7d0, aLoader=0xfa01070, aContext=0xfa024c0, aStatus=0, aStringLen=25022, aString=0xf9e5008 "/*\nShareThis Loader Version 2.1.4 RC1\n1/22/09 ShareThis.com\n*/\n\nST_JSON=new function(){this.decode=function(){var filter,result,self,tmp;if($$(\"toString\")){switch(arguments.length){case 2:self=argumen"...) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:911
#13 0x00ce5bf1 in nsStreamLoader::OnStopRequest (this=0xfa01070, request=0xfa04cd0, ctxt=0xfa024c0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp:108
#14 0x00d096bf in nsHTTPCompressConv::OnStopRequest (this=0x173d4e20, request=0xfa04cd0, aContext=0xfa024c0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#15 0x00ce51fe in nsStreamListenerTee::OnStopRequest (this=0xfa16660, request=0xfa04cd0, context=0xfa024c0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:65
#16 0x00d90279 in nsHttpChannel::OnStopRequest (this=0xfa04ca0, request=0xfa06040, ctxt=0x0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:4846
#17 0x00cb21e6 in nsInputStreamPump::OnStateStop (this=0xfa06040) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:576
#18 0x00cb2306 in nsInputStreamPump::OnInputStreamReady (this=0xfa06040, stream=0xfa0544c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:401
#19 0x00506afc in nsInputStreamReadyEvent::Run (this=0xfa12990) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#20 0x0053943e in nsThread::ProcessNextEvent (this=0x815c40, mayWait=0, result=0xbfffd564) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#21 0x004c297a in NS_ProcessPendingEvents_P (thread=0x815c40, timeout=20) at nsThreadUtils.cpp:180
#22 0x099330d9 in nsBaseAppShell::NativeEventCallback (this=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#23 0x098e9b66 in nsAppShell::ProcessGeckoEvents (aInfo=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381
#24 0x90ffa5f5 in CFRunLoopRunSpecific ()
#25 0x90ffacd8 in CFRunLoopRunInMode ()
#26 0x9356b2c0 in RunCurrentEventLoopInMode ()
#27 0x9356b0d9 in ReceiveNextEventCommon ()
#28 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#29 0x95a6cd7d in _DPSNextEvent ()
#30 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#31 0x95a6566b in -[NSApplication run] ()
#32 0x098e7a96 in nsAppShell::Run (this=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700
#33 0x0a5ed196 in nsAppStartup::Run (this=0x850180) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#34 0x000befb8 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80f200) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216
#35 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
I think the fix for bug 481251 will hide this bug; the side exit was being taken because anyArrayProtoHasElement was getting set.  (That might be why it could only be reproduced in scripts embedded in HTML, not in plain JS in the shell.)
Summary: "Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on a few web sites → "Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on sites that use ShareThis
I believe fixing 480132 will make addressing this bug easier.
Depends on: 480132
With the patch from 480132 applied, this works for me.
Does the patch in bug 480132 fix the underlying bug here, or just make this testcase not trigger it?  Or do you not know?
The assert may not have reflected any underlying bug.  The real constraints on the JIT (at present) are:

- The JIT cannot create closure blocks, for use in functions' scope chains.
- The JIT cannot spill local variables into previously-created closure blocks.

The patch in 480132 ensures that we don't JIT code that would make either of these things happen.  This is what the JSFRAME_POP_BLOCKS-related asserts were trying, but failing, to ensure.
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
fixed by:
http://hg.mozilla.org/mozilla-central/rev/74416c7004c5
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
http://hg.mozilla.org/tracemonkey/rev/382e98bf1333

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-477733.js,v  <--  regress-477733.js
initial revision: 1.1
Flags: in-testsuite+
Keywords: fixed1.9.1
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.