Closed Bug 480147 Opened 11 years ago Closed 11 years ago

"TM: Assertion failure: cx->bailExit" with string.replace and type instability

Categories

(Core :: JavaScript Engine, defect, P2, critical)

1.9.1 Branch
x86
macOS
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: cbook, Assigned: jorendorff)

References

()

Details

(5 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 3 obsolete files)

Attached file testcase from pcworld.com.cn (obsolete) —
found during the TopSite Tests on pcworld.com.cn using  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090225 Firefox/3.2a1pre TM Debug

Loading the Testcase cause:

Assertion failure: cx->bailExit, at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154
"/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638)
at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
62        abort();
(gdb) bt
#0  JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154
"/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638)
at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
#1  0x0037d78a in js_DeepBail (cx=0x12e1e00) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638
#2  0x002f0af4 in js_LeaveTrace (cx=0x12e1e00) at jscntxt.h:1418
#3  0x002f0b07 in js_GetTopStackFrame (cx=0x12e1e00) at jscntxt.h:1442
#4  0x002f5520 in InferFlags (cx=0x12e1e00, defaultFlags=65535) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:2090
#5  0x002f7868 in js_LookupPropertyWithFlags (cx=0x12e1e00, obj=0x14df8888,
id=8385124, flags=65535, objp=0xbfff9490, propp=0xbfff948c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3624
#6  0x002fbd41 in js_GetPropertyHelper (cx=0x12e1e00, obj=0x14df8888,
id=8385124, vp=0xbfff953c, entryp=0x0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3979
#7  0x002fc170 in js_GetProperty (cx=0x12e1e00, obj=0x14df8888, id=8385124,
vp=0xbfff953c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4065
#8  0x002fedcd in js_TryMethod (cx=0x12e1e00, obj=0x14df8888, atom=0x7ff264,
argc=0, argv=0x0, rval=0xbfff9590) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:5194
#9  0x002fef3e in js_DefaultValue (cx=0x12e1e00, obj=0x14df8888,
hint=JSTYPE_STRING, vp=0xbfff9798) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4415
#10 0x00349261 in ArgToRootedString (cx=0x12e1e00, argc=2, vp=0xbfff9798,
arg=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:257
#11 0x0035105a in match_or_replace (cx=0x12e1e00, glob=0x352f32 <replace_glob>,
destroy=0x34a0ba <replace_destroy>, data=0xbfff96ec, argc=2, vp=0xbfff9790) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1291
#12 0x00352a27 in js_StringReplaceHelper (cx=0x12e1e00, argc=2, lambda=0x0,
repstr=0x1494a340, vp=0xbfff9790) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1851
#13 0x00352c85 in String_p_replace_str (cx=0x12e1e00, str=0x1494d9c0,
regexp=0x14df8888, repstr=0x1494a340) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1785
#14 0x001a7f74 in ?? ()
#15 0xbfffbe28 in ?? ()
#16 0x003a38e6 in js_MonitorLoopEdge (cx=0x12e1e00,
inlineCallCount=@0xbfffc248) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4228
#17 0x002bd88a in js_Interpret (cx=0x12e1e00) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3111
#18 0x002e310d in js_Execute (cx=0x12e1e00, chain=0x141de7e0, script=0x1684e00,
down=0x0, flags=0, result=0x0) at jsinterp.cpp:1567
#19 0x0026ec2b in JS_EvaluateUCScriptForPrincipals (cx=0x12e1e00,
obj=0x141de7e0, principals=0x1644def4, chars=0x168b008, length=2626,
filename=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html",
lineno=108, rval=0x0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5249
#20 0x0bbbbe7b in nsJSContext::EvaluateString (this=0x143f6e50,
aScript=@0xbfffc884, aScopeObject=0x141de7e0, aPrincipal=0x1644def0,
aURL=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html",
aLineNo=108, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc804) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1594
#21 0x0b99a70e in nsScriptLoader::EvaluateScript (this=0x1744f3b0,
aRequest=0x10a9cbe0, aScript=@0xbfffc884) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671
#22 0x0b99aade in nsScriptLoader::ProcessRequest (this=0x1744f3b0,
aRequest=0x10a9cbe0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585
#23 0x0b99bd78 in nsScriptLoader::ProcessScriptElement (this=0x1744f3b0,
aElement=0x10e00714) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:539
#24 0x0b997508 in nsScriptElement::MaybeProcessScript (this=0x10e00714) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193
#25 0x0ba6bd47 in nsHTMLScriptElement::MaybeProcessScript (this=0x10e006f0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547
#26 0x0ba6ae27 in nsHTMLScriptElement::DoneAddingChildren (this=0x10e006f0,
aHaveNotified=1) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484
#27 0x0ba9ad69 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x14d9000,
content=0x10e006f0, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3134
#28 0x0ba9c587 in SinkContext::CloseContainer (this=0x10accbf0,
aTag=eHTMLTag_script, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1023
#29 0x0ba9ca45 in HTMLContentSink::CloseContainer (this=0x14d9000,
aTag=eHTMLTag_script) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2389
#30 0x13e56bf8 in CNavDTD::CloseContainer (this=0x10e31740,
aTag=eHTMLTag_script, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2798
#31 0x13e579d8 in CNavDTD::HandleEndToken (this=0x10e31740, aToken=0x167f520)
at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1677
#32 0x13e5ac44 in CNavDTD::HandleToken (this=0x10e31740, aToken=0x167f520,
aParser=0x10a907b0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:761
#33 0x13e53f6a in CNavDTD::BuildModel (this=0x10e31740, aParser=0x10a907b0,
aTokenizer=0xf706200, anObserver=0x0, aSink=0x14d9090) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:333
#34 0x13e66a81 in nsParser::BuildModel (this=0x10a907b0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2384
#35 0x13e6ac21 in nsParser::ResumeParse (this=0x10a907b0, allowIteration=1,
aIsFinalChunk=0, aCanInterrupt=1) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257
#36 0x13e6a536 in nsParser::OnDataAvailable (this=0x10a907b0,
request=0x10a8cf20, aContext=0x0, pIStream=0x10a8d35c, sourceOffset=0,
aLength=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2910
#37 0x0cfd7f5f in nsDocumentOpenInfo::OnDataAvailable (this=0x10a8d150,
request=0x10a8cf20, aCtxt=0x0, inStr=0x10a8d35c, sourceOffset=0, count=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306
#38 0x00ca0c44 in nsBaseChannel::OnDataAvailable (this=0x10a8cef0,
request=0x10a8d2c0, ctxt=0x0, stream=0x10a8d35c, offset=0, count=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708
#39 0x00cb44df in nsInputStreamPump::OnStateTransfer (this=0x10a8d2c0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#40 0x00cb4fe8 in nsInputStreamPump::OnInputStreamReady (this=0x10a8d2c0,
stream=0x10a8d35c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#41 0x00506adc in nsInputStreamReadyEvent::Run (this=0x10a8d1e0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#42 0x005393ea in nsThread::ProcessNextEvent (this=0x815c70, mayWait=0,
result=0xbfffd564) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#43 0x004c2b3a in NS_ProcessPendingEvents_P (thread=0x815c70, timeout=20) at
nsThreadUtils.cpp:180
#44 0x09936c41 in nsBaseAppShell::NativeEventCallback (this=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#45 0x098eda4a in nsAppShell::ProcessGeckoEvents (aInfo=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381
#46 0x90ffa5f5 in CFRunLoopRunSpecific ()
#47 0x90ffacd8 in CFRunLoopRunInMode ()
#48 0x9356b2c0 in RunCurrentEventLoopInMode ()
#49 0x9356b012 in ReceiveNextEventCommon ()
#50 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#51 0x95a6cd7d in _DPSNextEvent ()
#52 0x95a6c630 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#53 0x95a6566b in -[NSApplication run] ()
#54 0x098eb97a in nsAppShell::Run (this=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700
#55 0x0a5f23fa in nsAppStartup::Run (this=0x84ef40) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#56 0x000bc198 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80edf0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216
#57 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
Flags: blocking1.9.1?
Attached file more reduced testcase (obsolete) —
Attachment #364125 - Attachment is obsolete: true
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Attached file simple shell testcase
Attachment #364143 - Attachment is obsolete: true
Summary: TM: Assertion failure: cx->bailExit during TopSite Run → "TM: Assertion failure: cx->bailExit" with string.replace and type instability
In the testcase in comment 1, the type instability comes from

Object.prototype.extend = function(object) {};

Sticking stuff on Object.prototype doesn't mix well with for..in ;)
(In reply to comment #2)
> Created an attachment (id=365137) [details]
> simple shell testcase

The attached testcase is:

var w = [/a/, /b/, /c/, {}];
for (var i = 0; i < w.length; ++i)
  "".replace(w[i], "");

and this crashes opt TM js shell at LeaveTree near null, and also asserts at Assertion failure: cx->bailExit, at ../jstracer.cpp:4709
Severity: normal → critical
Keywords: crash
The first bad revision is:
changeset:   24351:435d0fe86a78
user:        Jason Orendorff
date:        Tue Feb 03 18:25:12 2009 -0600
summary:     Bug 462027 - Bail off trace when reentering interpreter. r=gal.

This should be a regression of bug 462027, as hg bisect reveals.
Blocks: deepbail
Yep, string_p_replace needs to be a _FAIL builtin.  Easy fix (and possibly a duplicate?).

P.S. Gary, my understanding of the jargon is that "regression of bug ######" means the same bug reappeared.  This is a regression caused by the fix in bug 462027, not a regression of 462027.

(As it happens, it is actually a reentry bug *revealed* by the fix in 462027, which makes such bugs into crashers!)
Assignee: general → jorendorff
Attached patch v1 (obsolete) — Splinter Review
I was wrong, this doesn't really need to be _FAIL.  It just needs to detect the problem case.

Switching to _FAIL would let us stay on trace here, but I don't think it matters.
Attachment #366427 - Flags: review?(gal)
Comment on attachment 366427 [details] [diff] [review]
v1

>diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp
>--- a/js/src/jsstr.cpp
>+++ b/js/src/jsstr.cpp
>@@ -1819,16 +1819,19 @@ str_replace(JSContext *cx, uintN argc, j
> 
>     return js_StringReplaceHelper(cx, argc, lambda, repstr, vp);
> }
> 
> #ifdef JS_TRACER
> static JSString* FASTCALL
> String_p_replace_str(JSContext* cx, JSString* str, JSObject* regexp, JSString* repstr)
> {
>+    if (!regexp || OBJ_GET_CLASS(cx, regexp) != &js_RegExpClass)
>+        return NULL;
>+

Why would regexp be NULL here? We have a special Null type on trace, so this "shouldn't happen (tm)." An assert instead maybe?

>     jsval vp[4] = {
>         JSVAL_NULL, STRING_TO_JSVAL(str), OBJECT_TO_JSVAL(regexp), STRING_TO_JSVAL(repstr)
>     };
>     if (!js_StringReplaceHelper(cx, 2, NULL, repstr, vp))
>         return NULL;
>     JS_ASSERT(JSVAL_IS_STRING(vp[0]));
>     return JSVAL_TO_STRING(vp[0]);
> }
Attached patch v2Splinter Review
Good point.

We don't assert that a pointer is non-null if we're about to read from it anyway.  So just removing the !regexp check will do here.

I added a one-line comment.
Attachment #366427 - Attachment is obsolete: true
Attachment #366586 - Flags: review?(gal)
Attachment #366427 - Flags: review?(gal)
Attachment #366586 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/5dc226df9ea3
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/5dc226df9ea3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Blocks: 482958
http://hg.mozilla.org/tracemonkey/rev/74c2e9230e7d
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-480147.js,v  <--  regress-480147.js
initial revision: 1.1
Flags: in-testsuite+
No longer depends on: sisyphus-tracking
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.