Closed
Bug 489007
Opened 16 years ago
Closed 16 years ago
TM: Assertion failure: thisObj == globalObj
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: cbook, Assigned: gal)
References
()
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 1 obsolete file)
|
866 bytes,
text/html
|
Details | |
|
1.01 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090418 Firefox/3.6a1pre
Steps to reproduce:
- Load bbc.co.uk (topsite)
- Assertion
Seems to be a regression, did not happen with yesterdays build. I will try to create a testcase.
From Brendan on IRC: < brendan> Tomcat: regression from 488816 most likely
Assertion failure: thisObj == globalObj, at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:6277
Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x40ff0e "thisObj == globalObj", file=0x40dad4 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=6277) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69 abort();
(gdb) bt
#0 JS_Assert (s=0x40ff0e "thisObj == globalObj", file=0x40dad4 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=6277) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1 0x003a3a57 in TraceRecorder::getThis (this=0x16b58640, this_ins=@0xbfffc7ec) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:6277
#2 0x003a3bd6 in TraceRecorder::record_JSOP_THIS (this=0x16b58640) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:8478
#3 0x003b2d4b in TraceRecorder::monitorRecording (cx=0xb37c00, tr=0x16b58640, op=JSOP_THIS) at jsopcode.tbl:186
#4 0x002c7a6d in js_Interpret (cx=0xb37c00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3030
#5 0x002f3ce7 in js_Invoke (cx=0xb37c00, argc=1, vp=0xf75420, flags=0) at jsinterp.cpp:1388
#6 0x002f3f91 in js_InternalInvoke (cx=0xb37c00, obj=0x1365b920, fval=374692320, flags=0, argc=1, argv=0x14aa1480, rval=0xbfffd138) at jsinterp.cpp:1441
#7 0x002774d9 in JS_CallFunctionValue (cx=0xb37c00, obj=0x1365b920, fval=374692320, argc=1, argv=0x14aa1480, rval=0xbfffd138) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5184
#8 0x0bb5104c in nsJSContext::CallEventHandler (this=0x135f3990, aTarget=0x16b556f0, aScope=0x1365b920, aHandler=0x165559e0, aargv=0x14c67bd4, arv=0xbfffd284) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:2009
#9 0x0bb7ba99 in nsGlobalWindow::RunTimeout (this=0x16b556f0, aTimeout=0x15c51440) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsGlobalWindow.cpp:7736
#10 0x0bb7c01a in nsGlobalWindow::TimerCallback (aTimer=0xaacfee0, aClosure=0x15c51440) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsGlobalWindow.cpp:8070
#11 0x00551636 in nsTimerImpl::Fire (this=0xaacfee0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsTimerImpl.cpp:427
#12 0x0055186e in nsTimerEvent::Run (this=0x15c50af0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsTimerImpl.cpp:519
#13 0x00549e80 in nsThread::ProcessNextEvent (this=0x715970, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#14 0x004d2c76 in NS_ProcessPendingEvents_P (thread=0x715970, timeout=20) at nsThreadUtils.cpp:180
#15 0x098d578f in nsBaseAppShell::NativeEventCallback (this=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#16 0x0988befa in nsAppShell::ProcessGeckoEvents (aInfo=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#17 0x90ffa5f5 in CFRunLoopRunSpecific ()
#18 0x90ffacd8 in CFRunLoopRunInMode ()
#19 0x9356b2c0 in RunCurrentEventLoopInMode ()
#20 0x9356b0d9 in ReceiveNextEventCommon ()
#21 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#22 0x95a6cd7d in _DPSNextEvent ()
#23 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#24 0x95a6566b in -[NSApplication run] ()
#25 0x09889354 in nsAppShell::Run (this=0x7331d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#26 0x0a57e35e in nsAppStartup::Run (this=0x74f3c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#27 0x00083904 in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#28 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
Flags: blocking1.9.1?
|
Reporter | |
Comment 1•16 years ago
|
||
first version of a reduced testcase, will try to reduce this also later
|
||
Comment 2•16 years ago
|
||
Correcting dependency list.
Blocks: 488816, sisyphus-tracking
No longer depends on: sisyphus-tracking, 488816
Version: 1.9.1 Branch → Trunk
|
|
Reporter | |
Comment 3•16 years ago
|
||
(In reply to comment #2)
> Correcting dependency list.
please leave entry's for Bug 455273 alone, they are for tracking reasons
No longer blocks: sisyphus-tracking
Depends on: sisyphus-tracking
|
|
Reporter | |
Updated•16 years ago
|
Blocks: sisyphus-tracking
No longer depends on: sisyphus-tracking
|
|
||
Comment 4•16 years ago
|
||
Here's a 44-line DOM testcase that's many times smaller than Tomcat's. :)
I've plucked out every trick from my book and many hours over the weekend trying to bash this into a shell testcase but it's still slightly beyond me now.
Would appreciate if someone could convert this 44-liner into a shell testcase - it's really almost there!!
Attachment #373529 -
Attachment is obsolete: true
|
|
||
Comment 5•16 years ago
|
||
(In reply to comment #4)
> Would appreciate if someone could convert this 44-liner into a shell testcase -
> it's really almost there!!
CC'ing Jesse who might be able to help with this...
|
|
||
Updated•16 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
|
|
Assignee | |
Comment 6•16 years ago
|
||
The 44 line test case is awesome. I should be able to fix this tomorrow.
|
|
||
Comment 7•16 years ago
|
||
(In reply to comment #6)
> The 44 line test case is awesome. I should be able to fix this tomorrow.
I'm glad it helped, Andreas. I pulled every trick out of my sleeve, including getting Lithium working on Ubuntu (where I didn't have to wait for the crash stacks to get formed as I could simply disabled stack generation, so asserting in Linux Firefox took only 2secs), converting that ultra-long one-liner convoluted js mumble-jumbo into 10k plus line testcase, adding newlines at strategically placed locations, making use of JS Beautify in Komodo (this is awesome, though sometimes slightly inaccurate), ... ... (all these added up to a whole highly-educational Sunday)
Now if only we can get a shell testcase, so autoBisect can confirm that bug 488816 is likely the guilty one.
Thanks to Tomcat too, for his first-pass testcase. :)
|
|
Assignee | |
Comment 8•16 years ago
|
||
This should block imo.
|
||
Updated•16 years ago
|
Assignee: general → gal
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
|
|
||
Comment 9•16 years ago
|
||
<script>
function nothing() {}
function go() {
function f() {
for (var x = 0; x < 1; x++)
nothing(this);
}
f();
}
for (var i = 0; i < 1; i++) {}
go();
go();
</script>
Manually reduced a bit more. Doesn't happen in the shell, presumably because it has to do with wrappers and `this`.
|
|
Assignee | |
Comment 10•16 years ago
|
||
(gdb) p thisObj
$1 = (JSObject *) 0x15fac4e0
(gdb) p globalObj
$2 = (JSObject *) 0x15fac080
(gdb) call js_DumpObject(thisObj)
object 0x15fac4e0
class 0x111ee0e0 XPCCrossOriginWrapper
properties:
enumerate permanent "glow": slot 5
slots:
0 (proto) = null
1 (parent) = <Window object at 0x15fac080>
2 (reserved) = false
3 (reserved) = <Window object at 0x177b2900>
4 (reserved) = 208827720
5 = <Object at 0x15fac520>
(gdb) call js_DumpObject(globalObj)
object 0x15fac080
class 0x1a2ea974 Window
properties:
enumerate "D": slot 62
enumerate "H": slot 61
enumerate "E": slot 60
"Array": slot 59
"String": slot 58
"encodeURIComponent": slot 57
"decodeURIComponent": slot 56
"encodeURI": slot 55
"decodeURI": slot 54
"uneval": slot 53
"unescape": slot 52
"escape": slot 51
enumerate "K": slot 50
enumerate readonly "window": slot 49
enumerate permanent "foo": slot 48
enumerate permanent "glow": slot 47
enumerate readonly "document": slot 46
"Node": slot 45
"Document": slot 44
"HTMLDocument": slot 43
"_options": slot 42
enumerate "netscape": slot 41
enumerate "XPCSafeJSObjectWrapper": slot 40
enumerate "XPCNativeWrapper": slot 39
enumerate readonly permanent "Components": slot 38
"Object": slot 37
"Function": slot 36
slots:
0 (proto) = <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x15fac1c0>
1 (parent) = null
2 (private) = 0x18e4fdf0
3 (reserved) = undefined
4 (reserved) = <function Object at 0x15fadb98 (JSFunction at 0x15fadb98)>
5 (reserved) = <function Function at 0x15fada80 (JSFunction at 0x15fada80)>
6 (reserved) = <function Array at 0x177af348 (JSFunction at 0x177af348)>
7 (reserved) = undefined
8 (reserved) = undefined
9 (reserved) = undefined
10 (reserved) = undefined
11 (reserved) = undefined
12 (reserved) = <function String at 0x177b0578 (JSFunction at 0x177b0578)>
13 (reserved) = undefined
14 (reserved) = undefined
15 (reserved) = undefined
16 (reserved) = undefined
17 (reserved) = undefined
18 (reserved) = undefined
19 (reserved) = undefined
20 (reserved) = undefined
21 (reserved) = undefined
22 (reserved) = undefined
23 (reserved) = undefined
24 (reserved) = undefined
25 (reserved) = undefined
26 (reserved) = undefined
27 (reserved) = undefined
28 (reserved) = undefined
29 (reserved) = undefined
30 (reserved) = undefined
31 (reserved) = undefined
32 (reserved) = undefined
33 (reserved) = undefined
34 (reserved) = undefined
35 (reserved) = undefined
36 = <function Function at 0x15fada80 (JSFunction at 0x15fada80)>
37 = <function Object at 0x15fadb98 (JSFunction at 0x15fadb98)>
38 = <nsXPCComponents object at 0x15fac160>
39 = <function XPCNativeWrapper at 0x177b1000 (JSFunction at 0x177b1000)>
40 = <function XPCSafeJSObjectWrapper at 0x177b1038 (JSFunction at 0x177b1038)>
41 = <Object at 0x15fac1e0>
42 = <JSOptions object at 0x15fac2a0>
43 = <DOMPrototype object at 0x15fac320>
44 = <DOMPrototype object at 0x15fac3c0>
45 = <DOMPrototype object at 0x15fac3e0>
46 = <HTMLDocument object at 0x15fac300>
47 = <Object at 0x15fac520>
48 = <function foo at 0x177b0380 (JSFunction at 0x177b0380)>
49 = <XPCCrossOriginWrapper object at 0x15fac4e0>
50 = <Object at 0x15fac520>
51 = <function escape at 0x177b03f0 (JSFunction at 0x177b03f0)>
52 = <function unescape at 0x177b0428 (JSFunction at 0x177b0428)>
53 = <function uneval at 0x177b0460 (JSFunction at 0x177b0460)>
54 = <function decodeURI at 0x177b0498 (JSFunction at 0x177b0498)>
55 = <function encodeURI at 0x177b04d0 (JSFunction at 0x177b04d0)>
56 = <function decodeURIComponent at 0x177b0508 (JSFunction at 0x177b0508)>
57 = <function encodeURIComponent at 0x177b0540 (JSFunction at 0x177b0540)>
58 = <function String at 0x177b0578 (JSFunction at 0x177b0578)>
59 = <function Array at 0x177af348 (JSFunction at 0x177af348)>
60 = <Array object at 0x15fac5e0>
61 = 1
62 = 2
|
|
Assignee | |
Comment 11•16 years ago
|
||
Yeah, this is wrapping in action and we already took a snapshot of the global object earlier.
|
|
Assignee | |
Comment 12•16 years ago
|
||
Attachment #373666 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 13•16 years ago
|
||
This case seems sufficiently rare that we can just abort instead of always forcing the globalObj to be wrapped when we start recording.
|
|
||
Comment 14•16 years ago
|
||
Comment on attachment 373666 [details] [diff] [review]
patch
Bouncing as I don't know about wrappers.
Attachment #373666 -
Flags: review?(jorendorff) → review?(brendan)
|
|
||
Updated•16 years ago
|
Attachment #373666 -
Flags: review?(brendan) → review+
|
|
||
Comment 15•16 years ago
|
||
Comment on attachment 373666 [details] [diff] [review]
patch
We don't like wrappers here in jit-land. Are we too demanding?
/be
|
|
Assignee | |
Comment 16•16 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 17•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
||
Updated•16 years ago
|
Flags: in-testsuite?
|
|
||
Updated•16 years ago
|
Target Milestone: --- → mozilla1.9.2a1
|
|
||
Comment 19•16 years ago
|
||
Keywords: fixed1.9.1
|
|
||
Comment 20•16 years ago
|
||
verified FIXED on Shiretoko:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090427 Shiretoko/3.5b5pre ID:20090427031112
Keywords: fixed1.9.1 → verified1.9.1
|
||
Comment 21•13 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•