Closed Bug 496325 Opened 11 years ago Closed 11 years ago

Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj), at /Users/smaug/mozilla/hg/mozilla/js/src/jstracer.cpp:6761

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

VERIFIED FIXED

People

(Reporter: smaug, Assigned: gal)

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(3 files, 7 obsolete files)

The assertion happens using up-to-date trunk debug build.
Go to http://www.bbc.com and click the current top news (currently something about Obama)

0   libmozjs.dylib                	0x003420b0 JS_Assert + 64 (jsutil.cpp:69)
1   libmozjs.dylib                	0x00382c96 TraceRecorder::getThis(nanojit::LIns*&) + 1302 (jstracer.cpp:6761)
2   libmozjs.dylib                	0x003909bc TraceRecorder::monitorRecording(JSContext*, TraceRecorder*, JSOp) + 8092 (jstracer.cpp:9203)
3   libmozjs.dylib                	0x00296a8f js_Interpret + 41327 (jsinterp.cpp:3039)
4   libmozjs.dylib                	0x002b95db js_Invoke + 1659 (jsinterp.cpp:1394)
5   libmozjs.dylib                	0x002ba01f js_InternalInvoke + 159 (jsinterp.cpp:1448)
6   libmozjs.dylib                	0x0022b583 JS_CallFunctionValue + 147 (jsapi.cpp:5197)
7   libgklayout.dylib             	0x12717151 nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) + 545 (nsJSEnvironment.cpp:2037)
8   libgklayout.dylib             	0x127369e3 nsGlobalWindow::RunTimeout(nsTimeout*) + 1859 (nsCOMPtr.h:777)
9   libgklayout.dylib             	0x1273782e nsGlobalWindow::TimerCallback(nsITimer*, void*) + 46 (nsGlobalWindow.cpp:8128)
10  libxpcom_core.dylib           	0x004d9dcf nsTimerImpl::Fire() + 1007 (nsTimerImpl.cpp:427)
11  libxpcom_core.dylib           	0x004da0f4 nsTimerEvent::Run() + 100 (nsAutoPtr.h:956)
12  libxpcom_core.dylib           	0x004d11fe nsThread::ProcessNextEvent(int, int*) + 526 (nsThread.cpp:511)
13  libxpcom_core.dylib           	0x00454827 NS_ProcessPendingEvents_P(nsIThread*, unsigned int) + 71
14  libwidget_mac.dylib           	0x1454ed12 nsBaseAppShell::NativeEventCallback() + 98 (nsBaseAppShell.cpp:122)
15  libwidget_mac.dylib           	0x1450adea nsAppShell::ProcessGeckoEvents(void*) + 634 (nsAppShell.mm:413)
The assertion was added in bug 495699
Flags: blocking1.9.1?
Happens on branch, and is not due to tracing lambda_fc
Flags: blocking1.9.1? → blocking1.9.1+
Attached patch Fix? (obsolete) — Splinter Review
Like 'null', Call objects are implicitly turned into the global object. I'm a little surprised that we hit this on the 1.9.1 branch, though. I thought activeCallOrGlobalSlot would have saved us there...
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #381605 - Flags: review?(gal)
Assignee: mrbkap → gal
Attachment #381605 - Attachment is obsolete: true
Attachment #381605 - Flags: review?(gal)
Need a testcase.
I'm not smart enough to write a testcase for this bug. I'll attach what I have, though.
Keywords: testcase-wanted
Attached file not a testcase
The problem is that by the time we get into TraceRecorder::getThis, we've already computed 'this' once and have the wrapper -- I don't understand how the bbc gets around it.

A better way to make a testcase might be to minimize www.bbc.com.
Mrbkap helped with the patch and approved of it. He didn't stamp accidentally.
Pushed to TM.

http://hg.mozilla.org/tracemonkey/rev/6afc57314e74
Whiteboard: fixed-in-tracemonkey
Attached file "testcase" (obsolete) —
Attached file "testcase" with correct link to js (obsolete) —
Attachment #381699 - Attachment is obsolete: true
Thanks bz.
Attached file Minimal-ish HTML (obsolete) —
Attachment #381700 - Attachment is obsolete: true
Comment on attachment 381662 [details] [diff] [review]
more generic fix, needs a testcase

I realized that in order to match ComputeThis in jsinterp.cpp, we need to check for Blocks too.
Attachment #381662 - Flags: review+
I'm running Lithium to reduce the JS that bz attached.
http://hg.mozilla.org/mozilla-central/rev/6afc57314e74
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Attached file js, down from 7000 lines to 1685 lines (obsolete) —
Lithium is still running, but here's what it has so far.
Attachment #381698 - Attachment is obsolete: true
Made a few sneaky changes to speed up Lithium, let's see how much they help.
Attached file js shell testcase (64 lines) (obsolete) —
Still reducing, but I figured I'd attach something small that retained at least some of the flavor of the original.
Attachment #381701 - Attachment is obsolete: true
Attachment #381772 - Attachment is obsolete: true
Attachment #381834 - Attachment is obsolete: true
verified FIXED on debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090629 Minefield/3.6a1pre ID:20090629082126

and

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090629 Shiretoko/3.5pre ID:20090629082025
Status: RESOLVED → VERIFIED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.