502714 - TM: Assertion failure: isNumber(*p) == (t == TT_DOUBLE)

Status: RESOLVED DUPLICATE of bug 502604

(Core :: JavaScript Engine, defect)

Description

[Aaron Train [:aaronmt]]

TM: Assertion failure:isNumber(*p) == (t == TT_DOUBLE), at
/Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331

#0  JS_Assert (s=0x70 <Address 0x70 out of bounds>, file=0x70 <Address 0x70 out of bounds>, ln=112) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69
#1  0x0037d5bf in TraceRecorder::import (this=0x1daf8e50, base=0x15d69d3c, offset=596, p=0x1daeb3b4, t=TT_STRING, prefix=0x402388 "global", index=4, fp=0x0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2331
#2  0x00398552 in VisitGlobalSlots<ImportGlobalSlotVisitor> [inlined] () at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2399
#3  0x00398552 in TraceRecorder::import (this=0x1daf8e50, treeInfo=0x1daf8a60, sp=0x15d69d5c, stackSlots=9, ngslots=9, callDepth=1, typeMap=0x126ca5c0) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:2512
#4  0x00398ff5 in TraceRecorder::TraceRecorder (this=0x1daf8e50, cx=0xaad000, _anchor=0x15d6aaac, _fragment=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, innermostNestedGuard=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1629
#5  0x003994f3 in js_StartRecorder (cx=0xaad000, anchor=0x15d6aaac, f=0x1daf8d00, ti=0x1daf8a60, stackSlots=9, ngslots=9, typeMap=0x126ca5c0, expectedInnerExit=0x15a5d8a8, outer=0x15c0c823 "?;\n.?", outerArgc=1) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:1648
#6  0x00399877 in js_AttemptToExtendTree (cx=0xaad000, anchor=0x1daf8d00, exitedFrom=0x15a5d8a8, outer=0x15c0c823 "?;\n.?") at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4664
#7  0x0039b17f in js_RecordLoopEdge (cx=0x1daf8e50, r=0x1daf8e90, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:4786
#8  0x0039b32a in js_MonitorLoopEdge (cx=0xaad000, inlineCallCount=@0xbfffd86c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:5439
#9  0x002cc6f9 in js_Interpret (cx=0xaad000) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:3944
#10 0x002d07d2 in js_Execute (cx=0xaad000, chain=0x1aa090a0, script=0x15c08000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1661
...

Occurs on Mac/Windows/Linux 1.9.2

See attached reduced testcase

Comment 1

[Aaron Train [:aaronmt]]

Attachment: testcase

Comment 2

[Aaron Train [:aaronmt]]

Most likely related is bug 502604

Comment 3

[Andreas Gal :gal]

David, can you take a look?

Comment 4

[Andreas Gal :gal]

This is crashing 3.5. 502604 is probably a dup. I suggest blocking 3.5.1 on this at least until we know the cause.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Comment on attachment 387064 [details]
testcase

js testcases should have MIME type text/plain.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I'll be attaching a fully reduced testcase soon - along with autoBisect results.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for each(z in ['', 0, '', '']) {
    for (let x = 0; x < 3; ++x) {
        let y = x;
        print(y || (z *= String))
    }
}

This asserts Assertion failure: isNumber(*p) == (t == TT_DOUBLE), at ../jstracer.cpp:2331 with -j and does not assert without. It does seem to be fixed by the patch in bug 502604.


autoBisect shows this is probably related to bug 452498:

The first bad revision is:
changeset:   26784:2cf0bbe3772a
user:        Brendan Eich
date:        Sun Apr 05 21:17:22 2009 -0700
summary:     upvar2, aka the big one take 2 (452498, r=mrbkap).

Comment 9

[Brendan Eich [:brendan]]

I think the upvar2 relation is incidental.

/be