Closed
Bug 480147
Opened 16 years ago
Closed 16 years ago
"TM: Assertion failure: cx->bailExit" with string.replace and type instability
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: cbook, Assigned: jorendorff)
References
()
Details
(5 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 3 obsolete files)
|
88 bytes,
text/javascript
|
Details | |
|
821 bytes,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
found during the TopSite Tests on pcworld.com.cn using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090225 Firefox/3.2a1pre TM Debug
Loading the Testcase cause:
Assertion failure: cx->bailExit, at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638
Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154
"/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638)
at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
62 abort();
(gdb) bt
#0 JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154
"/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638)
at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62
#1 0x0037d78a in js_DeepBail (cx=0x12e1e00) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638
#2 0x002f0af4 in js_LeaveTrace (cx=0x12e1e00) at jscntxt.h:1418
#3 0x002f0b07 in js_GetTopStackFrame (cx=0x12e1e00) at jscntxt.h:1442
#4 0x002f5520 in InferFlags (cx=0x12e1e00, defaultFlags=65535) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:2090
#5 0x002f7868 in js_LookupPropertyWithFlags (cx=0x12e1e00, obj=0x14df8888,
id=8385124, flags=65535, objp=0xbfff9490, propp=0xbfff948c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3624
#6 0x002fbd41 in js_GetPropertyHelper (cx=0x12e1e00, obj=0x14df8888,
id=8385124, vp=0xbfff953c, entryp=0x0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3979
#7 0x002fc170 in js_GetProperty (cx=0x12e1e00, obj=0x14df8888, id=8385124,
vp=0xbfff953c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4065
#8 0x002fedcd in js_TryMethod (cx=0x12e1e00, obj=0x14df8888, atom=0x7ff264,
argc=0, argv=0x0, rval=0xbfff9590) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:5194
#9 0x002fef3e in js_DefaultValue (cx=0x12e1e00, obj=0x14df8888,
hint=JSTYPE_STRING, vp=0xbfff9798) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4415
#10 0x00349261 in ArgToRootedString (cx=0x12e1e00, argc=2, vp=0xbfff9798,
arg=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:257
#11 0x0035105a in match_or_replace (cx=0x12e1e00, glob=0x352f32 <replace_glob>,
destroy=0x34a0ba <replace_destroy>, data=0xbfff96ec, argc=2, vp=0xbfff9790) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1291
#12 0x00352a27 in js_StringReplaceHelper (cx=0x12e1e00, argc=2, lambda=0x0,
repstr=0x1494a340, vp=0xbfff9790) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1851
#13 0x00352c85 in String_p_replace_str (cx=0x12e1e00, str=0x1494d9c0,
regexp=0x14df8888, repstr=0x1494a340) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1785
#14 0x001a7f74 in ?? ()
#15 0xbfffbe28 in ?? ()
#16 0x003a38e6 in js_MonitorLoopEdge (cx=0x12e1e00,
inlineCallCount=@0xbfffc248) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4228
#17 0x002bd88a in js_Interpret (cx=0x12e1e00) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3111
#18 0x002e310d in js_Execute (cx=0x12e1e00, chain=0x141de7e0, script=0x1684e00,
down=0x0, flags=0, result=0x0) at jsinterp.cpp:1567
#19 0x0026ec2b in JS_EvaluateUCScriptForPrincipals (cx=0x12e1e00,
obj=0x141de7e0, principals=0x1644def4, chars=0x168b008, length=2626,
filename=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html",
lineno=108, rval=0x0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5249
#20 0x0bbbbe7b in nsJSContext::EvaluateString (this=0x143f6e50,
aScript=@0xbfffc884, aScopeObject=0x141de7e0, aPrincipal=0x1644def0,
aURL=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html",
aLineNo=108, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc804) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1594
#21 0x0b99a70e in nsScriptLoader::EvaluateScript (this=0x1744f3b0,
aRequest=0x10a9cbe0, aScript=@0xbfffc884) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671
#22 0x0b99aade in nsScriptLoader::ProcessRequest (this=0x1744f3b0,
aRequest=0x10a9cbe0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585
#23 0x0b99bd78 in nsScriptLoader::ProcessScriptElement (this=0x1744f3b0,
aElement=0x10e00714) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:539
#24 0x0b997508 in nsScriptElement::MaybeProcessScript (this=0x10e00714) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193
#25 0x0ba6bd47 in nsHTMLScriptElement::MaybeProcessScript (this=0x10e006f0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547
#26 0x0ba6ae27 in nsHTMLScriptElement::DoneAddingChildren (this=0x10e006f0,
aHaveNotified=1) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484
#27 0x0ba9ad69 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x14d9000,
content=0x10e006f0, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3134
#28 0x0ba9c587 in SinkContext::CloseContainer (this=0x10accbf0,
aTag=eHTMLTag_script, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1023
#29 0x0ba9ca45 in HTMLContentSink::CloseContainer (this=0x14d9000,
aTag=eHTMLTag_script) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2389
#30 0x13e56bf8 in CNavDTD::CloseContainer (this=0x10e31740,
aTag=eHTMLTag_script, aMalformed=0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2798
#31 0x13e579d8 in CNavDTD::HandleEndToken (this=0x10e31740, aToken=0x167f520)
at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1677
#32 0x13e5ac44 in CNavDTD::HandleToken (this=0x10e31740, aToken=0x167f520,
aParser=0x10a907b0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:761
#33 0x13e53f6a in CNavDTD::BuildModel (this=0x10e31740, aParser=0x10a907b0,
aTokenizer=0xf706200, anObserver=0x0, aSink=0x14d9090) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:333
#34 0x13e66a81 in nsParser::BuildModel (this=0x10a907b0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2384
#35 0x13e6ac21 in nsParser::ResumeParse (this=0x10a907b0, allowIteration=1,
aIsFinalChunk=0, aCanInterrupt=1) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257
#36 0x13e6a536 in nsParser::OnDataAvailable (this=0x10a907b0,
request=0x10a8cf20, aContext=0x0, pIStream=0x10a8d35c, sourceOffset=0,
aLength=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2910
#37 0x0cfd7f5f in nsDocumentOpenInfo::OnDataAvailable (this=0x10a8d150,
request=0x10a8cf20, aCtxt=0x0, inStr=0x10a8d35c, sourceOffset=0, count=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306
#38 0x00ca0c44 in nsBaseChannel::OnDataAvailable (this=0x10a8cef0,
request=0x10a8d2c0, ctxt=0x0, stream=0x10a8d35c, offset=0, count=4811) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708
#39 0x00cb44df in nsInputStreamPump::OnStateTransfer (this=0x10a8d2c0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#40 0x00cb4fe8 in nsInputStreamPump::OnInputStreamReady (this=0x10a8d2c0,
stream=0x10a8d35c) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#41 0x00506adc in nsInputStreamReadyEvent::Run (this=0x10a8d1e0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#42 0x005393ea in nsThread::ProcessNextEvent (this=0x815c70, mayWait=0,
result=0xbfffd564) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#43 0x004c2b3a in NS_ProcessPendingEvents_P (thread=0x815c70, timeout=20) at
nsThreadUtils.cpp:180
#44 0x09936c41 in nsBaseAppShell::NativeEventCallback (this=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#45 0x098eda4a in nsAppShell::ProcessGeckoEvents (aInfo=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381
#46 0x90ffa5f5 in CFRunLoopRunSpecific ()
#47 0x90ffacd8 in CFRunLoopRunInMode ()
#48 0x9356b2c0 in RunCurrentEventLoopInMode ()
#49 0x9356b012 in ReceiveNextEventCommon ()
#50 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#51 0x95a6cd7d in _DPSNextEvent ()
#52 0x95a6c630 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#53 0x95a6566b in -[NSApplication run] ()
#54 0x098eb97a in nsAppShell::Run (this=0x8355d0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700
#55 0x0a5f23fa in nsAppStartup::Run (this=0x84ef40) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#56 0x000bc198 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80edf0) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216
#57 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at
/work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
Flags: blocking1.9.1?
|
Reporter | |
Comment 1•16 years ago
|
||
Attachment #364125 -
Attachment is obsolete: true
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
|
||
Comment 2•16 years ago
|
||
Attachment #364143 -
Attachment is obsolete: true
|
|
||
Updated•16 years ago
|
Summary: TM: Assertion failure: cx->bailExit during TopSite Run → "TM: Assertion failure: cx->bailExit" with string.replace and type instability
|
|
||
Comment 3•16 years ago
|
||
In the testcase in comment 1, the type instability comes from
Object.prototype.extend = function(object) {};
Sticking stuff on Object.prototype doesn't mix well with for..in ;)
|
||
Comment 4•16 years ago
|
||
(In reply to comment #2)
> Created an attachment (id=365137) [details]
> simple shell testcase
The attached testcase is:
var w = [/a/, /b/, /c/, {}];
for (var i = 0; i < w.length; ++i)
"".replace(w[i], "");
and this crashes opt TM js shell at LeaveTree near null, and also asserts at Assertion failure: cx->bailExit, at ../jstracer.cpp:4709
Severity: normal → critical
Keywords: crash
|
|
||
Comment 5•16 years ago
|
||
The first bad revision is:
changeset: 24351:435d0fe86a78
user: Jason Orendorff
date: Tue Feb 03 18:25:12 2009 -0600
summary: Bug 462027 - Bail off trace when reentering interpreter. r=gal.
This should be a regression of bug 462027, as hg bisect reveals.
Blocks: deepbail
|
Assignee | |
Comment 6•16 years ago
|
||
Yep, string_p_replace needs to be a _FAIL builtin. Easy fix (and possibly a duplicate?).
P.S. Gary, my understanding of the jargon is that "regression of bug ######" means the same bug reappeared. This is a regression caused by the fix in bug 462027, not a regression of 462027.
(As it happens, it is actually a reentry bug *revealed* by the fix in 462027, which makes such bugs into crashers!)
|
|
||
Updated•16 years ago
|
Assignee: general → jorendorff
|
|
Assignee | |
Comment 7•16 years ago
|
||
I was wrong, this doesn't really need to be _FAIL. It just needs to detect the problem case.
Switching to _FAIL would let us stay on trace here, but I don't think it matters.
Attachment #366427 -
Flags: review?(gal)
|
||
Comment 8•16 years ago
|
||
Comment on attachment 366427 [details] [diff] [review]
v1
>diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp
>--- a/js/src/jsstr.cpp
>+++ b/js/src/jsstr.cpp
>@@ -1819,16 +1819,19 @@ str_replace(JSContext *cx, uintN argc, j
>
> return js_StringReplaceHelper(cx, argc, lambda, repstr, vp);
> }
>
> #ifdef JS_TRACER
> static JSString* FASTCALL
> String_p_replace_str(JSContext* cx, JSString* str, JSObject* regexp, JSString* repstr)
> {
>+ if (!regexp || OBJ_GET_CLASS(cx, regexp) != &js_RegExpClass)
>+ return NULL;
>+
Why would regexp be NULL here? We have a special Null type on trace, so this "shouldn't happen (tm)." An assert instead maybe?
> jsval vp[4] = {
> JSVAL_NULL, STRING_TO_JSVAL(str), OBJECT_TO_JSVAL(regexp), STRING_TO_JSVAL(repstr)
> };
> if (!js_StringReplaceHelper(cx, 2, NULL, repstr, vp))
> return NULL;
> JS_ASSERT(JSVAL_IS_STRING(vp[0]));
> return JSVAL_TO_STRING(vp[0]);
> }
|
|
Assignee | |
Comment 9•16 years ago
|
||
Good point.
We don't assert that a pointer is non-null if we're about to read from it anyway. So just removing the !regexp check will do here.
I added a one-line comment.
Attachment #366427 -
Attachment is obsolete: true
Attachment #366586 -
Flags: review?(gal)
Attachment #366427 -
Flags: review?(gal)
|
|
||
Updated•16 years ago
|
Attachment #366586 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 11•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 12•16 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/74c2e9230e7d
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-480147.js,v <-- regress-480147.js
initial revision: 1.1
Flags: in-testsuite+
|
|
||
Comment 13•16 years ago
|
||
Keywords: fixed1.9.1
|
|
Reporter | |
Updated•16 years ago
|
Blocks: sisyphus-tracking
No longer depends on: sisyphus-tracking
|
|
||
Comment 14•16 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•