489007 - TM: Assertion failure: thisObj == globalObj

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Carsten Book [:Tomcat]]

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090418 Firefox/3.6a1pre

Steps to reproduce:
- Load bbc.co.uk (topsite)
- Assertion

Seems to be a regression, did not happen with yesterdays build. I will try to create a testcase.

From Brendan on IRC: < brendan> Tomcat: regression from 488816 most likely


Assertion failure: thisObj == globalObj, at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:6277

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x40ff0e "thisObj == globalObj", file=0x40dad4 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=6277) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x40ff0e "thisObj == globalObj", file=0x40dad4 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=6277) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1  0x003a3a57 in TraceRecorder::getThis (this=0x16b58640, this_ins=@0xbfffc7ec) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:6277
#2  0x003a3bd6 in TraceRecorder::record_JSOP_THIS (this=0x16b58640) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:8478
#3  0x003b2d4b in TraceRecorder::monitorRecording (cx=0xb37c00, tr=0x16b58640, op=JSOP_THIS) at jsopcode.tbl:186
#4  0x002c7a6d in js_Interpret (cx=0xb37c00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3030
#5  0x002f3ce7 in js_Invoke (cx=0xb37c00, argc=1, vp=0xf75420, flags=0) at jsinterp.cpp:1388
#6  0x002f3f91 in js_InternalInvoke (cx=0xb37c00, obj=0x1365b920, fval=374692320, flags=0, argc=1, argv=0x14aa1480, rval=0xbfffd138) at jsinterp.cpp:1441
#7  0x002774d9 in JS_CallFunctionValue (cx=0xb37c00, obj=0x1365b920, fval=374692320, argc=1, argv=0x14aa1480, rval=0xbfffd138) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5184
#8  0x0bb5104c in nsJSContext::CallEventHandler (this=0x135f3990, aTarget=0x16b556f0, aScope=0x1365b920, aHandler=0x165559e0, aargv=0x14c67bd4, arv=0xbfffd284) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:2009
#9  0x0bb7ba99 in nsGlobalWindow::RunTimeout (this=0x16b556f0, aTimeout=0x15c51440) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsGlobalWindow.cpp:7736
#10 0x0bb7c01a in nsGlobalWindow::TimerCallback (aTimer=0xaacfee0, aClosure=0x15c51440) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsGlobalWindow.cpp:8070
#11 0x00551636 in nsTimerImpl::Fire (this=0xaacfee0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsTimerImpl.cpp:427
#12 0x0055186e in nsTimerEvent::Run (this=0x15c50af0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsTimerImpl.cpp:519
#13 0x00549e80 in nsThread::ProcessNextEvent (this=0x715970, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#14 0x004d2c76 in NS_ProcessPendingEvents_P (thread=0x715970, timeout=20) at nsThreadUtils.cpp:180
#15 0x098d578f in nsBaseAppShell::NativeEventCallback (this=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#16 0x0988befa in nsAppShell::ProcessGeckoEvents (aInfo=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#17 0x90ffa5f5 in CFRunLoopRunSpecific ()
#18 0x90ffacd8 in CFRunLoopRunInMode ()
#19 0x9356b2c0 in RunCurrentEventLoopInMode ()
#20 0x9356b0d9 in ReceiveNextEventCommon ()
#21 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#22 0x95a6cd7d in _DPSNextEvent ()
#23 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#24 0x95a6566b in -[NSApplication run] ()
#25 0x09889354 in nsAppShell::Run (this=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#26 0x0a57e35e in nsAppStartup::Run (this=0x74f3c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#27 0x00083904 in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#28 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156

Comment 1

[Carsten Book [:Tomcat]]

Attachment: testcase

first version of a reduced testcase, will try to reduce this also later

Comment 2

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Correcting dependency list.

Comment 3

[Carsten Book [:Tomcat]]

(In reply to comment #2)
> Correcting dependency list.

please leave entry's for Bug 455273 alone, they are for tracking reasons

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: 44-line DOM testcase

Here's a 44-line DOM testcase that's many times smaller than Tomcat's. :)

I've plucked out every trick from my book and many hours over the weekend trying to bash this into a shell testcase but it's still slightly beyond me now.

Would appreciate if someone could convert this 44-liner into a shell testcase - it's really almost there!!

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #4)
> Would appreciate if someone could convert this 44-liner into a shell testcase -
> it's really almost there!!

CC'ing Jesse who might be able to help with this...

Comment 6

[Andreas Gal :gal]

The 44 line test case is awesome. I should be able to fix this tomorrow.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #6)
> The 44 line test case is awesome. I should be able to fix this tomorrow.

I'm glad it helped, Andreas. I pulled every trick out of my sleeve, including getting Lithium working on Ubuntu (where I didn't have to wait for the crash stacks to get formed as I could simply disabled stack generation, so asserting in Linux Firefox took only 2secs), converting that ultra-long one-liner convoluted js mumble-jumbo into 10k plus line testcase, adding newlines at strategically placed locations, making use of JS Beautify in Komodo (this is awesome, though sometimes slightly inaccurate), ... ... (all these added up to a whole highly-educational Sunday)

Now if only we can get a shell testcase, so autoBisect can confirm that bug 488816 is likely the guilty one.

Thanks to Tomcat too, for his first-pass testcase. :)

Comment 8

[Andreas Gal :gal]

This should block imo.

Comment 9

[Jason Orendorff [:jorendorff]]

<script>
function nothing() {}

function go() {
    function f() {
        for (var x = 0; x < 1; x++)
            nothing(this);
    }
    f();
}

for (var i = 0; i < 1; i++) {}
go();
go();
</script>

Manually reduced a bit more.  Doesn't happen in the shell, presumably because it has to do with wrappers and `this`.

Comment 10

[Andreas Gal :gal]

(gdb) p thisObj
$1 = (JSObject *) 0x15fac4e0
(gdb) p globalObj
$2 = (JSObject *) 0x15fac080
(gdb) call js_DumpObject(thisObj)
object 0x15fac4e0
class 0x111ee0e0 XPCCrossOriginWrapper
properties:
    enumerate permanent "glow": slot 5
slots:
   0 (proto) = null
   1 (parent) = <Window object at 0x15fac080>
   2 (reserved) = false
   3 (reserved) = <Window object at 0x177b2900>
   4 (reserved) = 208827720
   5 = <Object at 0x15fac520>

(gdb) call js_DumpObject(globalObj)
object 0x15fac080
class 0x1a2ea974 Window
properties:
    enumerate "D": slot 62
    enumerate "H": slot 61
    enumerate "E": slot 60
    "Array": slot 59
    "String": slot 58
    "encodeURIComponent": slot 57
    "decodeURIComponent": slot 56
    "encodeURI": slot 55
    "decodeURI": slot 54
    "uneval": slot 53
    "unescape": slot 52
    "escape": slot 51
    enumerate "K": slot 50
    enumerate readonly "window": slot 49
    enumerate permanent "foo": slot 48
    enumerate permanent "glow": slot 47
    enumerate readonly "document": slot 46
    "Node": slot 45
    "Document": slot 44
    "HTMLDocument": slot 43
    "_options": slot 42
    enumerate "netscape": slot 41
    enumerate "XPCSafeJSObjectWrapper": slot 40
    enumerate "XPCNativeWrapper": slot 39
    enumerate readonly permanent "Components": slot 38
    "Object": slot 37
    "Function": slot 36
slots:
   0 (proto) = <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x15fac1c0>
   1 (parent) = null
   2 (private) = 0x18e4fdf0
   3 (reserved) = undefined
   4 (reserved) = <function Object at 0x15fadb98 (JSFunction at 0x15fadb98)>
   5 (reserved) = <function Function at 0x15fada80 (JSFunction at 0x15fada80)>
   6 (reserved) = <function Array at 0x177af348 (JSFunction at 0x177af348)>
   7 (reserved) = undefined
   8 (reserved) = undefined
   9 (reserved) = undefined
  10 (reserved) = undefined
  11 (reserved) = undefined
  12 (reserved) = <function String at 0x177b0578 (JSFunction at 0x177b0578)>
  13 (reserved) = undefined
  14 (reserved) = undefined
  15 (reserved) = undefined
  16 (reserved) = undefined
  17 (reserved) = undefined
  18 (reserved) = undefined
  19 (reserved) = undefined
  20 (reserved) = undefined
  21 (reserved) = undefined
  22 (reserved) = undefined
  23 (reserved) = undefined
  24 (reserved) = undefined
  25 (reserved) = undefined
  26 (reserved) = undefined
  27 (reserved) = undefined
  28 (reserved) = undefined
  29 (reserved) = undefined
  30 (reserved) = undefined
  31 (reserved) = undefined
  32 (reserved) = undefined
  33 (reserved) = undefined
  34 (reserved) = undefined
  35 (reserved) = undefined
  36 = <function Function at 0x15fada80 (JSFunction at 0x15fada80)>
  37 = <function Object at 0x15fadb98 (JSFunction at 0x15fadb98)>
  38 = <nsXPCComponents object at 0x15fac160>
  39 = <function XPCNativeWrapper at 0x177b1000 (JSFunction at 0x177b1000)>
  40 = <function XPCSafeJSObjectWrapper at 0x177b1038 (JSFunction at 0x177b1038)>
  41 = <Object at 0x15fac1e0>
  42 = <JSOptions object at 0x15fac2a0>
  43 = <DOMPrototype object at 0x15fac320>
  44 = <DOMPrototype object at 0x15fac3c0>
  45 = <DOMPrototype object at 0x15fac3e0>
  46 = <HTMLDocument object at 0x15fac300>
  47 = <Object at 0x15fac520>
  48 = <function foo at 0x177b0380 (JSFunction at 0x177b0380)>
  49 = <XPCCrossOriginWrapper object at 0x15fac4e0>
  50 = <Object at 0x15fac520>
  51 = <function escape at 0x177b03f0 (JSFunction at 0x177b03f0)>
  52 = <function unescape at 0x177b0428 (JSFunction at 0x177b0428)>
  53 = <function uneval at 0x177b0460 (JSFunction at 0x177b0460)>
  54 = <function decodeURI at 0x177b0498 (JSFunction at 0x177b0498)>
  55 = <function encodeURI at 0x177b04d0 (JSFunction at 0x177b04d0)>
  56 = <function decodeURIComponent at 0x177b0508 (JSFunction at 0x177b0508)>
  57 = <function encodeURIComponent at 0x177b0540 (JSFunction at 0x177b0540)>
  58 = <function String at 0x177b0578 (JSFunction at 0x177b0578)>
  59 = <function Array at 0x177af348 (JSFunction at 0x177af348)>
  60 = <Array object at 0x15fac5e0>
  61 = 1
  62 = 2

Comment 11

[Andreas Gal :gal]

Yeah, this is wrapping in action and we already took a snapshot of the global object earlier.

Comment 12

[Andreas Gal :gal]

Attachment: patch

Comment 13

[Andreas Gal :gal]

This case seems sufficiently rare that we can just abort instead of always forcing the globalObj to be wrapped when we start recording.

Comment 14

[Jason Orendorff [:jorendorff]]

Comment on attachment 373666 [details] [diff] [review]
patch

Bouncing as I don't know about wrappers.

Comment 15

[Brendan Eich [:brendan]]

Comment on attachment 373666 [details] [diff] [review]
patch

We don't like wrappers here in jit-land. Are we too demanding?

/be

Comment 16

[Andreas Gal :gal]

http://hg.mozilla.org/tracemonkey/rev/241ae5d59f08

Comment 17

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/241ae5d59f08

Comment 18

[Carsten Book [:Tomcat]]

verified fixed, thanks !

Comment 19

[Robert Sayre]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/80c792e16bfd

Comment 20

[Aakash Desai [:aakashd]]

verified FIXED on Shiretoko: 
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090427 Shiretoko/3.5b5pre ID:20090427031112

Comment 21

[Christian Holler (:decoder)]

Bug in removed tracer code, setting in-testsuite- flag.