Closed
Bug 477733
Opened 16 years ago
Closed 16 years ago
"Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on sites that use ShareThis
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: jimb)
References
Details
(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 1 obsolete file)
Loading http://www.laptopmag.com/advice/how-to/msi-wind-ram.aspx in a debug build triggers:
Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS), at /Users/jruderman/tracemonkey/js/src/jstracer.cpp:3174
This happens on both mozilla-central and tracemonkey branch.
Also happens on http://fuckyoupenguin.blogspot.com/, in case that's easier to debug or reduce.
|
||
Comment 1•16 years ago
|
||
Possibly related to this bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=472450
|
Assignee | |
Comment 2•16 years ago
|
||
This looks related to bug 472450, in that traced code must not run when JSFRAME_POP_BLOCKS is set, but it does. However, the patch applied in comment 14 of that bug addresses the test case given there, so I don't think this bug should be a duplicate of that.
jorendorff suggested a way to come up with another test case that would produce the assert mentioned above. If his idea works, I'll put the test case here.
I see this 100% of the time at http://bit.ly/12tLBD
I wonder why this hasn't been nominated for blocking...
Flags: blocking1.9.1?
|
|
||
Comment 5•16 years ago
|
||
We need a testcase to make this blocking. Could you try to capture the page and attach it?
|
Reporter | |
Comment 6•16 years ago
|
||
I haven't taken the time to make a testcase because this bug is marked as depending on a blocker, which I took to mean "this is likely to be fixed by that other bug".
|
||
Comment 7•16 years ago
|
||
At this point we shouldn't just hope I'm right that the fix for bug 452498 will fix this bug. If this bug meets the blocker criteria, then it should be marked blocking and be assigned to someone.
/be
|
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 8•16 years ago
|
||
blocking+, Jesse could you get a test case for this?
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Comment 9•16 years ago
|
||
#0 JS_Assert (s=0x3f70f0 "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3f62cd "../../../js/src/jstracer.cpp", ln=3168) at ../../../js/src/jsutil.cpp:63
#1 0x0037502d in js_SynthesizeFrame (cx=0x1f17aa00, fi=@0x18a853f4) at ../../../js/src/jstracer.cpp:3168
#2 0x00375d86 in LeaveTree (state=@0xbfffcd98, lr=0x18a856c0) at ../../../js/src/jstracer.cpp:4091
#3 0x00376ac1 in js_ExecuteTree (cx=0x1f17aa00, f=0x18a851e0, inlineCallCount=@0xbfffd268, innermostNestedGuardp=0xbfffce78) at ../../../js/src/jstracer.cpp:3968
#4 0x0039c210 in js_MonitorLoopEdge (cx=0x1f17aa00, inlineCallCount=@0xbfffd268) at ../../../js/src/jstracer.cpp:4270
#5 0x002b63a4 in js_Interpret (cx=0x1f17aa00) at ../../../js/src/jsinterp.cpp:3109
|
||
Comment 10•16 years ago
|
||
so far i have tried the 2 sites and crashed on the real sites, but were not able to crash on the local copy :/
i will see if i can get more examples for this crash from my topsite testruns
|
|
Reporter | |
Comment 11•16 years ago
|
||
All three sites use ShareThis. Here's a testcase that loads the script in a way that triggers the bug.
sharethis.js is full of code that checks the hostname of the script, so reducing it further is going to be tricky.
|
|
Reporter | |
Comment 12•16 years ago
|
||
Aha, got it. Reduced testcase soon.
|
|
Reporter | |
Comment 13•16 years ago
|
||
Attachment #362620 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•16 years ago
|
Assignee: general → jim
|
||
Updated•16 years ago
|
Keywords: testcase-wanted → testcase
|
|
||
Comment 14•16 years ago
|
||
found this testcase during the topsite testing on http://www.christianitytoday.com/
Stack:
Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS), at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3185
Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x3fcdfc "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3fc064 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=3185) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:63
63 abort();
(gdb) bt
#0 JS_Assert (s=0x3fcdfc "!(fp->flags & JSFRAME_POP_BLOCKS)", file=0x3fc064 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=3185) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:63
#1 0x0037c09f in js_SynthesizeFrame (cx=0x12cd400, fi=@0x1ad81c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3185
#2 0x0037cdf6 in LeaveTree (state=@0xbfffc6b8, lr=0x1adaec) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4109
#3 0x0037db31 in js_ExecuteTree (cx=0x12cd400, f=0xfa23560, inlineCallCount=@0xbfffcb88, innermostNestedGuardp=0xbfffc798) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:3986
#4 0x003a384c in js_MonitorLoopEdge (cx=0x12cd400, inlineCallCount=@0xbfffcb88) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4288
#5 0x002bd74c in js_Interpret (cx=0x12cd400) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3109
#6 0x002e2fee in js_Execute (cx=0x12cd400, chain=0xf12fd20, script=0x16c0e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1566
#7 0x0026e94b in JS_EvaluateUCScriptForPrincipals (cx=0x12cd400, obj=0xf12fd20, principals=0xfa0dc34, chars=0xf9ed008, length=25022, filename=0xfa04ac8 "http://w.sharethis.com/widget/?tabs=web%2Cpost%2Cemail&charset=utf-8&services=%2Cdigg%2Cstumbleupon%2Cfacebook%2Cmyspace%2Cdelicious%2Ctechnorati%2Cgoogle_bmarks%2Cyahoo_bmarks%2Cyahoo_myweb%2"..., lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5250
#8 0x0ba5cb25 in nsJSContext::EvaluateString (this=0x141f1e60, aScript=@0xfa024d4, aScopeObject=0xf12fd20, aPrincipal=0xfa0dc30, aURL=0xfa04ac8 "http://w.sharethis.com/widget/?tabs=web%2Cpost%2Cemail&charset=utf-8&services=%2Cdigg%2Cstumbleupon%2Cfacebook%2Cmyspace%2Cdelicious%2Ctechnorati%2Cgoogle_bmarks%2Cyahoo_bmarks%2Cyahoo_myweb%2"..., aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffd144) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1595
#9 0x0b83db06 in nsScriptLoader::EvaluateScript (this=0x1627f7d0, aRequest=0xfa024c0, aScript=@0xfa024d4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671
#10 0x0b83ded6 in nsScriptLoader::ProcessRequest (this=0x1627f7d0, aRequest=0xfa024c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585
#11 0x0b83df62 in nsScriptLoader::ProcessPendingRequests (this=0x1627f7d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:724
#12 0x0b83e2b0 in nsScriptLoader::OnStreamComplete (this=0x1627f7d0, aLoader=0xfa01070, aContext=0xfa024c0, aStatus=0, aStringLen=25022, aString=0xf9e5008 "/*\nShareThis Loader Version 2.1.4 RC1\n1/22/09 ShareThis.com\n*/\n\nST_JSON=new function(){this.decode=function(){var filter,result,self,tmp;if($$(\"toString\")){switch(arguments.length){case 2:self=argumen"...) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:911
#13 0x00ce5bf1 in nsStreamLoader::OnStopRequest (this=0xfa01070, request=0xfa04cd0, ctxt=0xfa024c0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp:108
#14 0x00d096bf in nsHTTPCompressConv::OnStopRequest (this=0x173d4e20, request=0xfa04cd0, aContext=0xfa024c0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#15 0x00ce51fe in nsStreamListenerTee::OnStopRequest (this=0xfa16660, request=0xfa04cd0, context=0xfa024c0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:65
#16 0x00d90279 in nsHttpChannel::OnStopRequest (this=0xfa04ca0, request=0xfa06040, ctxt=0x0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:4846
#17 0x00cb21e6 in nsInputStreamPump::OnStateStop (this=0xfa06040) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:576
#18 0x00cb2306 in nsInputStreamPump::OnInputStreamReady (this=0xfa06040, stream=0xfa0544c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:401
#19 0x00506afc in nsInputStreamReadyEvent::Run (this=0xfa12990) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#20 0x0053943e in nsThread::ProcessNextEvent (this=0x815c40, mayWait=0, result=0xbfffd564) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#21 0x004c297a in NS_ProcessPendingEvents_P (thread=0x815c40, timeout=20) at nsThreadUtils.cpp:180
#22 0x099330d9 in nsBaseAppShell::NativeEventCallback (this=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#23 0x098e9b66 in nsAppShell::ProcessGeckoEvents (aInfo=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381
#24 0x90ffa5f5 in CFRunLoopRunSpecific ()
#25 0x90ffacd8 in CFRunLoopRunInMode ()
#26 0x9356b2c0 in RunCurrentEventLoopInMode ()
#27 0x9356b0d9 in ReceiveNextEventCommon ()
#28 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#29 0x95a6cd7d in _DPSNextEvent ()
#30 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#31 0x95a6566b in -[NSApplication run] ()
#32 0x098e7a96 in nsAppShell::Run (this=0x8353a0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700
#33 0x0a5ed196 in nsAppStartup::Run (this=0x850180) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#34 0x000befb8 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80f200) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216
#35 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
|
|
Assignee | |
Comment 15•16 years ago
|
||
I think the fix for bug 481251 will hide this bug; the side exit was being taken because anyArrayProtoHasElement was getting set. (That might be why it could only be reproduced in scripts embedded in HTML, not in plain JS in the shell.)
|
|
||
Comment 16•16 years ago
|
||
Still happens on http://fuckyoupenguin.blogspot.com/
|
|
Reporter | |
Updated•16 years ago
|
Summary: "Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on a few web sites → "Assertion failure: !(fp->flags & JSFRAME_POP_BLOCKS)" on sites that use ShareThis
|
|
Assignee | |
Comment 17•16 years ago
|
||
I believe fixing 480132 will make addressing this bug easier.
Depends on: 480132
|
|
Assignee | |
Comment 18•16 years ago
|
||
With the patch from 480132 applied, this works for me.
|
|
Reporter | |
Comment 19•16 years ago
|
||
Does the patch in bug 480132 fix the underlying bug here, or just make this testcase not trigger it? Or do you not know?
|
|
Assignee | |
Comment 20•16 years ago
|
||
The assert may not have reflected any underlying bug. The real constraints on the JIT (at present) are:
- The JIT cannot create closure blocks, for use in functions' scope chains.
- The JIT cannot spill local variables into previously-created closure blocks.
The patch in 480132 ensures that we don't JIT code that would make either of these things happen. This is what the JSFRAME_POP_BLOCKS-related asserts were trying, but failing, to ensure.
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 21•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 22•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/382e98bf1333
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-477733.js,v <-- regress-477733.js
initial revision: 1.1
Flags: in-testsuite+
|
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
|
|
||
Comment 23•16 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•