Closed Bug 503817 Opened 15 years ago Closed 15 years ago

Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: bc, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: assertion, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 2 obsolete files)

fully reduced testcase
277 bytes, text/plain
Details
Proposed fix
1.78 KB, patch
gal
: review+
samuel.sidler+old
: approval1.9.1.2+
Details | Diff | Splinter Review 
Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj), at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7812

1. load http://www.movenetworks.com/
2. resize page
3. assert

repro on 1.9.1, 1.9.2 and tracemonkey mac/windows.
Flags: blocking1.9.2?
Flags: blocking1.9.1.1?
Flags: blocking1.9.2? → blocking1.9.2+
(In reply to comment #0)
> Assertion failure: original == thisv || original == OBJECT_TO_JSVAL(obj), at
> /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7812
> 
> 1. load http://www.movenetworks.com/
> 2. resize page
> 3. assert
> 
> repro on 1.9.1, 1.9.2 and tracemonkey mac/windows.

Could not reproduce on XP and OSX

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090712 Minefield/3.6a1pre

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090712 Minefield/3.6a1pre

1. Visited page. 
2. Did a drag resize and a resizeTo(x,x)

No crash
does not crash opt/nightly builds. You need a debug build to reproduce this.
(In reply to comment #2)
> does not crash opt/nightly builds. You need a debug build to reproduce this.

JS_Assert (s=0x85 <Address 0x85 out of bounds>, file=0x85 <Address 0x85 out of bounds>, ln=133) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69

#0  JS_Assert (s=0x85 <Address 0x85 out of bounds>, file=0x85 <Address 0x85 out of bounds>, ln=133) at /Users/mozilla/mozilla-central/js/src/jsutil.cpp:69
#1  0x00391eb0 in TraceRecorder::getThis (this=0x15de1d60, this_ins=@0xbfffc78c) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:7737
#2  0x0039f792 in TraceRecorder::record_JSOP_THIS () at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:10195
#3  0x0039f792 in TraceRecorder::monitorRecording (cx=0x95e600, tr=0x15de1d60, op=JSOP_THIS) at /Users/mozilla/mozilla-central/js/src/jstracer.cpp:186
#4  0x0029fde5 in js_Interpret (cx=0x95e600) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:3107
#5  0x002c7bbb in js_Invoke (cx=0x95e600, argc=1, vp=0xc47820, flags=32) at jsinterp.cpp:1397
#6  0x11e47d7f in nsXPCWrappedJSClass::CallMethod (this=0x126ecdb0, wrapper=0x15d25860, methodIndex=3, info=0xa394a0, nativeParams=0xbfffd19c) at /Users/mozilla/mozilla-central/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1647
#7  0x11e3d4c3 in nsXPCWrappedJS::CallMethod (this=0x15d25860, methodIndex=3, info=0xa394a0, params=0xbfffd19c) at /Users/mozilla/mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:570
#8  0x00509e87 in PrepareAndDispatch (self=0x15d24700, methodIndex=<value temporarily unavailable, due to optimizations>, args=0xbfffd284) at /Users/mozilla/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
#9  0x00504f56 in nsXPTCStubBase::Stub3 (this=0x15d24700) at xptcstubsdef.inc:1
...
Attached file reduction v1 (obsolete) — 
reduction v1
Attached file reduction v1.1 (obsolete) — 
reduction v1.1
Attachment #388189 - Attachment is obsolete: true
Severity: normal → critical
Keywords: testcase-wantedtestcase
Hardware: x86 → All
Attached file fully reduced testcase 
That's a great partially reduced testcase, Aaron.
Attachment #388190 - Attachment is obsolete: true
(In reply to comment #6)
> Created an attachment (id=388198) [details]
> fully reduced testcase

To reproduce (at least on Ubuntu), open the page, then manually click-drag-resize to hit the assert.
Assignee: general → gal
Attached patch Proposed fixSplinter Review 
Are we there yet?
Assignee: gal → mrbkap
Status: NEW → ASSIGNED
Attachment #388374 - Flags: review?(gal)
Attachment #388374 - Flags: review?(gal) → review+
http://hg.mozilla.org/mozilla-central/rev/65ac036608c7
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
blocking1.9.1: --- → .2+
Flags: blocking1.9.1.1? → blocking1.9.1.1-
Comment on attachment 388374 [details] [diff] [review]
Proposed fix

Please mark this for approval1.9.1.2? if it's ready to go in for Firefox 3.5.2
Attachment #388374 - Flags: approval1.9.1.2?
Comment on attachment 388374 [details] [diff] [review]
Proposed fix

Approved for 1.9.1.2. a=ss for release-drivers
Attachment #388374 - Flags: approval1.9.1.2? → approval1.9.1.2+
v 1.9.1.2 win/mac
Keywords: verified1.9.1
Mass change: adding fixed1.9.2 keyword

(This bug was identified as a mozilla1.9.2 blocker which was fixed before the mozilla-1.9.2 repository was branched (August 13th, 2009) as per this query: http://is.gd/2ydcb - if this bug is not actually fixed on mozilla1.9.2, please remove the keyword. Apologies for the bugspam)
Keywords: fixed1.9.2
Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: