Closed
Bug 505081
Opened 16 years ago
Closed 13 years ago
TM: js1_6/extensions/regress-456826.js - Assertion failure: *(uint64*)&global[STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain))] == 0xdeadbeefdeadbeefLL
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: bc, Assigned: gal)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
1.47 KB,
patch
|
Details | Diff | Splinter Review |
js1_6/extensions/regress-456826.js shell w/JIT.
Assertion failure: *(uint64*)&global[STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain))] == 0xdeadbeefdeadbeefLL, at ../jstracer.cpp:5482
regression changeset: 30365:1440f40669a7 user: Andreas Gal <gal@mozilla.com> date: Thu Jul 16 18:42:54 2009 -0700 summary: Shrink slots during GC only, split ReallocSlots into Alloc/Grow/ShrinkSlots (504478, r=igor).
Flags: in-testsuite+
|
Assignee | |
Updated•16 years ago
|
Group: core-security
|
|
Assignee | |
Comment 1•16 years ago
|
||
global is alloca allocated. Any kind of overflow there is bad news. The patch that triggers this might a red herring (it might have changed how quickly slots grow, but its not clear it triggered this, it might just make it visible). Hiding for further analysis.
Whiteboard: [sg:investigate?]
|
|
Assignee | |
Updated•16 years ago
|
Assignee: general → gal
Severity: normal → major
Priority: -- → P1
|
|
Assignee | |
Comment 2•16 years ago
|
||
Doesn't crash in TM tip shell. bc, what version did you use, and xpcshell or regular shell?
|
Reporter | |
Comment 3•16 years ago
|
||
(In reply to comment #1)
Sorry. I should have been more careful. I thought since this was only on tracemonkey I shouldn't make it sensitive. I'll err on the cautious side from mow on.
(In reply to comment #2)
> Doesn't crash in TM tip shell. bc, what version did you use, and xpcshell or
> regular shell?
tip tm js shell with jit enabled built from the js/src dir and not the js shell built as part of Firefox.
|
|
Assignee | |
Comment 4•16 years ago
|
||
Nothing sinister going on here for a change. The assert is overly conservative. It demands that the global object has the same number of slots as it had at entry.
We are now shrinking the slots of the global object to scope->freeslot during gc, which happens here. I made the assert smarter about the logic behind this.
Unhiding the bug.
Severity: major → normal
Priority: P1 → P2
Whiteboard: [sg:investigate?]
|
|
Assignee | |
Comment 5•16 years ago
|
||
Attachment #389361 -
Flags: review?(jorendorff)
|
|
Assignee | |
Updated•16 years ago
|
Group: core-security
|
|
Assignee | |
Comment 6•16 years ago
|
||
Note: we sparsely read/write slots of the global object, so we won't try to write to slots that were shrunk away. Operations that do delete slots of the global object throw us off trace before we execute them, so we first write to the slot, and then remove it from the scope.
|
|
Reporter | |
Comment 7•16 years ago
|
||
The same patch caused http://test.bclary.com/tests/mozilla.org/js/js-test-driver-standards.html?test=js1_5%2FArray%2Fregress-350256-03.js;language=type;text/javascript to start crashing on linux (at least) _browser only_.
Andreas: is that fixed by your patch?
|
|
Assignee | |
Comment 8•16 years ago
|
||
With the patch, the above link works on mac in my debug build. Thats all I can tell from here atm.
|
||
Comment 9•16 years ago
|
||
Comment on attachment 389361 [details] [diff] [review]
patch
I think moving the assertion makes it possible for this part to fail:
>+ JS_ASSERT(STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain)) <= globalFrameSize);
...if we deep-bail, then grow the global object, then exit the trace.
|
|
Assignee | |
Comment 10•16 years ago
|
||
Mhm. Any idea where else to put it? globalFrameSize isn't available in LeaveTree.
|
|
||
Comment 11•16 years ago
|
||
I guess just stash it in the InterpState or something, DEBUG-only.
|
|
||
Updated•16 years ago
|
Attachment #389361 -
Flags: review?(jorendorff)
|
|
Reporter | |
Comment 12•15 years ago
|
||
all debug shell.
1.9.2/1.9.3/1.9.3-tracemonkey jit: Assertion failure: *(uint64*)&global[STOBJ_NSLOTS(JS_GetGlobalForObject(cx, cx->fp->scopeChain))] == 0xdeadbeefdeadbeefLL, at ../jstracer.cpp:5835
1.9.2/1.9.3/1.9.3-tracemonkey nonjit: crash
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000020
0x000abf21 in js_NewObjectWithGivenProto (cx=0x805c00, clasp=0x1ca7e0, proto=0x283000, parent=0x284980, objectSize=0) at ../jsobj.cpp:2076
/work/mozilla/builds/1.9.2/mozilla/js/src/jsobj.cpp:2076:64916:beg:0xabf21
(gdb) bt
#0 0x000abf21 in js_NewObjectWithGivenProto (cx=0x805c00, clasp=0x1ca7e0, proto=0x283000, parent=0x284980, objectSize=0) at ../jsobj.cpp:2076
#1 0x000af8bb in js_NewObject (cx=0x805c00, clasp=0x1ca7e0, proto=0x283000, parent=0x284980, objectSize=0) at ../jsobj.cpp:2165
#2 0x00061fcc in js_NewFunction (cx=0x805c00, funobj=0x0, native=0x1cae00 <math_atan_trcinfo>, nargs=1, flags=10240, parent=0x284980, atom=0x2c637c) at ../jsfun.cpp:2357
#3 0x000631ef in js_DefineFunction (cx=0x805c00, obj=0x284980, atom=0x2c637c, native=0x1cae00 <math_atan_trcinfo>, nargs=1, attrs=10240) at ../jsfun.cpp:2492
#4 0x0001e362 in JS_DefineFunction (cx=0x805c00, obj=0x284980, name=0x1b3415 "atan", call=0x1cae00 <math_atan_trcinfo>, nargs=1, attrs=14336) at ../jsapi.cpp:4563
#5 0x000213bc in JS_DefineFunctions (cx=0x805c00, obj=0x284980, fs=0x1caf80) at ../jsapi.cpp:4545
#6 0x000a37d2 in js_InitMathClass (cx=0x805c00, obj=0x284000) at ../jsmath.cpp:801
#7 0x0001a1e3 in JS_ResolveStandardClass (cx=0x805c00, obj=0x284000, id=2646164, resolved=0xbfffe92c) at ../jsapi.cpp:1614
#8 0x0000b1bb in global_resolve (cx=0x805c00, obj=0x284000, id=2646164, flags=0, objp=0xbfffe994) at ../../shell/js.cpp:4382
#9 0x000ae8b5 in js_LookupPropertyWithFlags (cx=0x805c00, obj=0x284000, id=2646164, flags=0, objp=0xbfffea10, propp=0xbfffea0c) at ../jsobj.cpp:3831
#10 0x000b22f5 in js_FindPropertyHelper (cx=0x805c00, id=2646164, cacheResult=1, objp=0xbfffee1c, pobjp=0xbfffee18, propp=0xbfffedfc) at ../jsobj.cpp:3967
#11 0x0008a3f0 in js_Interpret (cx=0x805c00) at jsops.cpp:2299
#12 0x0009ce41 in js_Execute (cx=0x805c00, chain=0x284000, script=0x3119b0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1612
#13 0x0001efd6 in JS_ExecuteScript (cx=0x805c00, obj=0x284000, script=0x3119b0, rval=0x0) at ../jsapi.cpp:4983
#14 0x00008aeb in Process (cx=0x805c00, obj=0x284000, filename=0xbffff612 "regress-456826.js", forceTTY=0) at ../../shell/js.cpp:435
#15 0x0000a1be in ProcessArgs (cx=0x805c00, obj=0x284000, argv=0xbffff4c0, argc=9) at ../../shell/js.cpp:775
#16 0x0000b9b6 in main (argc=9, argv=0xbffff4c0, envp=0xbffff4e8) at ../../shell/js.cpp:4799
Flags: wanted1.9.2?
|
||
Comment 13•13 years ago
|
||
Obsolete with the removal of tracejit.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
|
|
Reporter | |
Updated•9 years ago
|
Flags: wanted1.9.2?
You need to log in
before you can comment on or make changes to this bug.
Description
•