Closed
Bug 488734
Opened 16 years ago
Closed 16 years ago
TM: Assertion failure: scope->shape == PCVCAP_SHAPE(entry->vcap), at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7478
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: cbook, Unassigned)
References
()
Details
(4 keywords)
Attachments
(2 files)
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090416 Firefox/3.6a1pre
found during the topsite tests with the latest TM Build. Seems to be a regression because does not happen with builds 2 days old.
Steps to reproduce:
Just load a major site like gmx.net
--> Assertion failure
Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69 abort();
(gdb) bt
#0 JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1 0x003adb79 in TraceRecorder::record_SetPropMiss (this=0xff72f90, entry=0x6eab58) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7478
#2 0x002dd69a in js_Interpret (cx=0xb37c00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:4803
#3 0x002f26f3 in js_Execute (cx=0xb37c00, chain=0x1485c6a0, script=0xf98a00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1632
#4 0x00276bd5 in JS_EvaluateUCScriptForPrincipals (cx=0xb37c00, obj=0x1485c6a0, principals=0x16bbcec4, chars=0xfe9a008, length=50516, filename=0xff79438 "http://js.ui-portal.de/gmx/home/js/20090331/prototype.js", lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5154
#5 0x0bb4aa51 in nsJSContext::EvaluateString (this=0x136ea350, aScript=@0xff794c4, aScopeObject=0x1485c6a0, aPrincipal=0x16bbcec0, aURL=0xff79438 "http://js.ui-portal.de/gmx/home/js/20090331/prototype.js", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffd0c4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:1603
#6 0x0b924b34 in nsScriptLoader::EvaluateScript (this=0x16bbe6e0, aRequest=0xff794b0, aScript=@0xff794c4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:686
#7 0x0b924f04 in nsScriptLoader::ProcessRequest (this=0x16bbe6e0, aRequest=0xff794b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:600
#8 0x0b924f90 in nsScriptLoader::ProcessPendingRequests (this=0x16bbe6e0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:739
#9 0x0b9252de in nsScriptLoader::OnStreamComplete (this=0x16bbe6e0, aLoader=0xff79880, aContext=0xff794b0, aStatus=0, aStringLen=50516, aString=0xfe84008 "/* DON'T EDIT THIS GENERATED FILE! Changes will be lost. */\r\n\r\n/* Prototype JavaScript framework, version 1.4.0\r\n * (c) 2005 Sam Stephenson <sam@conio.net>\r\n *\r\n * Prototype is freely distributable"...) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:926
#10 0x0948ca4b in nsStreamLoader::OnStopRequest (this=0xff79880, request=0xff79510, ctxt=0xff794b0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp:108
#11 0x094b07d7 in nsHTTPCompressConv::OnStopRequest (this=0xff7b620, request=0xff79510, aContext=0xff794b0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#12 0x0948c058 in nsStreamListenerTee::OnStopRequest (this=0xff7a6e0, request=0xff79510, context=0xff794b0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:65
#13 0x0953a25d in nsHttpChannel::OnStopRequest (this=0xff794e0, request=0xff79f80, ctxt=0x0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:4907
#14 0x09457d24 in nsInputStreamPump::OnStateStop (this=0xff79f80) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:576
#15 0x09457e44 in nsInputStreamPump::OnInputStreamReady (this=0xff79f80, stream=0xff79e6c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:401
#16 0x00516c4e in nsInputStreamReadyEvent::Run (this=0xff79d60) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#17 0x00549d0c in nsThread::ProcessNextEvent (this=0x715980, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#18 0x004d2b1e in NS_ProcessPendingEvents_P (thread=0x715980, timeout=20) at nsThreadUtils.cpp:180
#19 0x098d48f9 in nsBaseAppShell::NativeEventCallback (this=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#20 0x0988b39a in nsAppShell::ProcessGeckoEvents (aInfo=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#21 0x90ffa5f5 in CFRunLoopRunSpecific ()
#22 0x90ffacd8 in CFRunLoopRunInMode ()
#23 0x9356b2c0 in RunCurrentEventLoopInMode ()
#24 0x9356b0d9 in ReceiveNextEventCommon ()
#25 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#26 0x95a6cd7d in _DPSNextEvent ()
#27 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#28 0x95a6566b in -[NSApplication run] ()
#29 0x098887f4 in nsAppShell::Run (this=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#30 0x0a57d37a in nsAppStartup::Run (this=0x74ef50) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#31 0x0008198c in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#32 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
Flags: blocking1.9.2?
|
||
Comment 1•16 years ago
|
||
Can someone (auto)bisect and find the regressing changeset? Thanks,
/be
|
Reporter | |
Comment 2•16 years ago
|
||
working on a testcase
|
||
Comment 3•16 years ago
|
||
I'm quite sure I saw this in my jsfunfuzz boxes. The testcase during reduction morphed to bug 488693.
|
|
Reporter | |
Comment 4•16 years ago
|
||
loading this testcase cause:
Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69 abort();
(gdb) bt
#0 JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1 0x003adb79 in TraceRecorder::record_SetPropMiss (this=0x14cb7b80, entry=0x6ebd68) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7478
#2 0x002dd69a in js_Interpret (cx=0xb30400) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:4803
#3 0x002f26f3 in js_Execute (cx=0xb30400, chain=0x12e8e940, script=0xe8ee00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1632
#4 0x00276bd5 in JS_EvaluateUCScriptForPrincipals (cx=0xb30400, obj=0x12e8e940, principals=0x14c03004, chars=0xf413008, length=10213, filename=0x14c63788 "file:///work/mozilla/lithium/bebo1.html", lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5154
#5 0x0bb4aa51 in nsJSContext::EvaluateString (this=0x14b0b400, aScript=@0xbfffc824, aScopeObject=0x12e8e940, aPrincipal=0x14c03000, aURL=0x14c63788 "file:///work/mozilla/lithium/bebo1.html", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc7a4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:1603
#6 0x0b924b34 in nsScriptLoader::EvaluateScript (this=0x14c4a1f0, aRequest=0x14b81590, aScript=@0xbfffc824) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:686
#7 0x0b924f04 in nsScriptLoader::ProcessRequest (this=0x14c4a1f0, aRequest=0x14b81590) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:600
#8 0x0b9261ac in nsScriptLoader::ProcessScriptElement (this=0x14c4a1f0, aElement=0x14cb5f64) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:554
#9 0x0b92190c in nsScriptElement::MaybeProcessScript (this=0x14cb5f64) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193
#10 0x0b9f6c2d in nsHTMLScriptElement::MaybeProcessScript (this=0x14cb5f40) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547
#11 0x0b9f5d0d in nsHTMLScriptElement::DoneAddingChildren (this=0x14cb5f40, aHaveNotified=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484
#12 0x0ba253c9 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x97dc00, content=0x14cb5f40, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3135
#13 0x0ba2636f in SinkContext::CloseContainer (this=0xaaf4950, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1022
#14 0x0ba28aad in HTMLContentSink::CloseContainer (this=0x97dc00, aTag=eHTMLTag_script) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2388
#15 0x14413600 in CNavDTD::CloseContainer (this=0x146ed450, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2797
#16 0x144143e0 in CNavDTD::HandleEndToken (this=0x146ed450, aToken=0xd948d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1676
#17 0x1441764c in CNavDTD::HandleToken (this=0x146ed450, aToken=0xd948d0, aParser=0x16b11580) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:760
#18 0x14410972 in CNavDTD::BuildModel (this=0x146ed450, aParser=0x16b11580, aTokenizer=0x14cad300, anObserver=0x0, aSink=0x97dc94) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:332
#19 0x14422391 in nsParser::BuildModel (this=0x16b11580) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2375
#20 0x144278f0 in nsParser::ResumeParse (this=0x16b11580, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257
#21 0x144271ec in nsParser::OnDataAvailable (this=0x16b11580, request=0x16b20420, aContext=0x0, pIStream=0x16b8cfdc, sourceOffset=0, aLength=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2904
#22 0x0cff096d in nsDocumentOpenInfo::OnDataAvailable (this=0xaa23cc0, request=0x16b20420, aCtxt=0x0, inStr=0x16b8cfdc, sourceOffset=0, count=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306
#23 0x094439cc in nsBaseChannel::OnDataAvailable (this=0x16b203f0, request=0x15cee110, ctxt=0x0, stream=0x16b8cfdc, offset=0, count=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708
#24 0x0945732b in nsInputStreamPump::OnStateTransfer (this=0x15cee110) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#25 0x09457e34 in nsInputStreamPump::OnInputStreamReady (this=0x15cee110, stream=0x16b8cfdc) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#26 0x00516c4e in nsInputStreamReadyEvent::Run (this=0x14c56520) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#27 0x00549d0c in nsThread::ProcessNextEvent (this=0x715980, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#28 0x004d2b1e in NS_ProcessPendingEvents_P (thread=0x715980, timeout=20) at nsThreadUtils.cpp:180
#29 0x098d48f9 in nsBaseAppShell::NativeEventCallback (this=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#30 0x0988b39a in nsAppShell::ProcessGeckoEvents (aInfo=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#31 0x90ffa63f in CFRunLoopRunSpecific ()
#32 0x90ffacd8 in CFRunLoopRunInMode ()
#33 0x9356b2c0 in RunCurrentEventLoopInMode ()
#34 0x9356b012 in ReceiveNextEventCommon ()
#35 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#36 0x95a6cd7d in _DPSNextEvent ()
#37 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#38 0x95a6566b in -[NSApplication run] ()
#39 0x098887f4 in nsAppShell::Run (this=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#40 0x0a57d37a in nsAppStartup::Run (this=0x74f340) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#41 0x0008198c in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#42 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
(gdb)
|
|
Reporter | |
Comment 5•16 years ago
|
||
another example topsite who exit with this fatal assertions are: bebo.com, web.de and gmx.net
because web.de and gmx.net are very popular sites in germany i request blocking
Flags: blocking1.9.1?
Keywords: testcase
|
|
||
Comment 6•16 years ago
|
||
The testcase, gmx.net, web.de and bebo.com all WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre on a fresh profile.
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6)
> The testcase, gmx.net, web.de and bebo.com all WFM with Mozilla/5.0 (Macintosh;
> U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre
> on a fresh profile.
My bad - I was testing the opt nightly binary.
|
|
||
Comment 8•16 years ago
|
||
Anyone bisect yet (Gary ;-)?
/be
|
|
||
Comment 9•16 years ago
|
||
This shell testcase asserts only if you parse it in as a parameter (i.e. ./js -j testcase.js), I didn't assert when I pasted into the shell.
$ ./js-dbg-tm-intelmac -j testcase.js
Assertion failure: scope->shape == PCVCAP_SHAPE(entry->vcap), at ../jstracer.cpp:7476
Trace/BPT trap
|
|
||
Comment 10•16 years ago
|
||
autoBisect, who is one of our best friends, shows that this is probably related to bug 487204 :
The first bad revision is:
changeset: 27215:dccd96fc69cc
user: Igor Bukanov
date: Thu Apr 16 02:36:14 2009 +0200
summary: bug 487204 - avoiding extra locks for js_Native(Get|Set). r=brendan
Blocks: 487204
|
|
||
Updated•16 years ago
|
Attachment #373348 -
Attachment mime type: application/x-javascript → text/plain
|
|
||
Comment 11•16 years ago
|
||
What about a non-debug build? Was this bug more than a bogus assertion botch bug?
/be
|
|
||
Updated•16 years ago
|
|
||
Updated•16 years ago
|
|
|
||
Comment 12•16 years ago
|
||
Fixed by back-out of patch for bug 487204.
/be
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 13•16 years ago
|
||
verified
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Flags: in-litmus-
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Reporter | |
Updated•16 years ago
|
Blocks: sisyphus-tracking
No longer depends on: sisyphus-tracking
|
||
Comment 15•15 years ago
|
||
Verified fixed with xpcshell testcase and the following debug builds:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
|
||
Comment 16•15 years ago
|
||
Would have blocked.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•