Closed Bug 510655 Opened 12 years ago Closed 12 years ago

TM: "Assertion failure: argsobj->getPrivate() == fp, at ../jsfun.cpp"

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

VERIFIED FIXED
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

(function () {
    for (b in [0, 0]) {
        (eval("\
            [this\
                for (b in [\
                    [undefined],\
                    arguments,\
                    [undefined]\
                ])\
            ]\
        "))
    }
})()

asserts js dbg shell with -j on TM branch at Assertion failure: argsobj->getPrivate() == fp, at ../jsfun.cpp:298
Flags: blocking1.9.2?
autoBisect shows this is probably related to bug 495061 :

The first bad revision is:
changeset:   31470:8702299aa4dc
user:        Igor Bukanov
date:        Fri Aug 14 20:43:16 2009 +0200
summary:     bug 495061 -  js_PutArgsObject and js_PutCallObject that never fail. r=brendan
Blocks: 495061
I'm guessing the assert uncovered a bug in tracing |arguments|.
Assignee: general → dmandelin
Attached patch PatchSplinter Review
The problem is this:

When leaving a trace, if any synthesized frame has an argsobj, we set argsobj->private() to that frame. (On trace, we can't set the frame, because it doesn't exist. So we do it on exit.) But this is invalid for frames that are created by js_Execute: they can have a copy of fp->down->argsobj, in which case they already have a private pointer, which we shouldn't mess with.
Attachment #394912 - Flags: review?(igor)
Comment on attachment 394912 [details] [diff] [review]
Patch

>diff -r ad2312d97029 js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp	Mon Aug 17 12:05:54 2009 -0700
>+++ b/js/src/jstracer.cpp	Mon Aug 17 14:38:15 2009 -0700
>@@ -2525,8 +2525,12 @@
>         for (; n != 0; fp = fp->down) {
>             --n;
>             if (fp->callee) {
>-                if (fp->argsobj)
>+                // If |fp->argsobj == fp->down->argsobj|, then fp is a frame created
>+                // by js_Execute and the args object does not belong to fp.
>+                if (fp->argsobj && 
>+                    (!fp->down || fp->argsobj != fp->down->argsobj)) {
>                     JS_SetPrivate(cx, JSVAL_TO_OBJECT(fp->argsobj), fp);

Pre-existing nit - use JSVAL_TO_OBJECT(fp->argsobj)->setPrivate(fp); here. I should have done that in bug 493457.
Attachment #394912 - Flags: review?(igor) → review+
Pushed to TM with nit fixed as 19728bf133dd. (Somehow I knew about getPrivate() but not setPrivate(). Well, now I do, anyway. :-) )
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/19728bf133dd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocking, P1.  Dmandelin says it's scary, too.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
js/src/trace-test/tests/basic/bug510655.js
Flags: in-testsuite+
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
You need to log in before you can comment on or make changes to this bug.