Closed
Bug 520874
Opened 15 years ago
Closed 15 years ago
Reproducible JS_Assert "regs->pc == innermost->pc" in Google Docs
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 519534
People
(Reporter: roc, Unassigned)
Details
Opening a simple document in Google Docs (originally a Word document) consistently triggers a JS_Assert: (gdb) where #0 JS_Assert (s=0x445284 "regs->pc == innermost->pc", file=0x443328 "/Users/roc/mozilla-checkin/js/src/jstracer.cpp", ln=6281) at /Users/roc/mozilla-checkin/js/src/jsutil.cpp:69 #1 0x003c6799 in LeaveTree (state=@0xbfff66b0, lr=0x21636554) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6281 #2 0x003cdbe1 in ExecuteTree (cx=0x8dd3400, f=0x949e604, inlineCallCount=@0xbfffcc6c, innermostNestedGuardp=0xbfffc908) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6155 #3 0x003e927d in js_MonitorLoopEdge (cx=0x8dd3400, inlineCallCount=@0xbfffcc6c) at /Users/roc/mozilla-checkin/js/src/jstracer.cpp:6610 #4 0x002fa144 in js_Interpret (cx=0x8dd3400) at jsops.cpp:342 #5 0x003211b9 in js_Execute (cx=0x8dd3400, chain=0x7c57940, script=0xf140000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1598 #6 0x002a0e49 in JS_EvaluateUCScriptForPrincipals (cx=0x8dd3400, obj=0x7c57940, principals=0x9882054, chars=0xfe08008, length=554538, filename=0xe754418 "https://docs.google.com/wrt/client/js/1369408591-EditPageModularized_editor_base_mod__en_gb.js", lineno=1, rval=0x0) at /Users/roc/mozilla-checkin/js/src/jsapi.cpp:5056 #7 0x01df82ab in nsJSContext::EvaluateString (this=0xe6f9b20, aScript=@0xf5b5b14, aScopeObject=0x7c57940, aPrincipal=0x9882050, aURL=0xe754418 "https://docs.google.com/wrt/client/js/1369408591-EditPageModularized_editor_base_mod__en_gb.js", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffd214) at /Users/roc/mozilla-checkin/dom/base/nsJSEnvironment.cpp:1682 #8 0x01bb5fe6 in nsScriptLoader::EvaluateScript (this=0x98e1be0, aRequest=0xf5b5b00, aScript=@0xf5b5b14) at /Users/roc/mozilla-checkin/content/base/src/nsScriptLoader.cpp:686 #9 0x01bb63f2 in nsScriptLoader::ProcessRequest (this=0x98e1be0, aRequest=0xf5b5b00) at /Users/roc/mozilla-checkin/content/base/src/nsScriptLoader.cpp:600 #10 0x01bb647e in nsScriptLoader::ProcessPendingRequests (this=0x98e1be0) at /Users/roc/mozilla-checkin/content/base/src/nsScriptLoader.cpp:740 #11 0x01bb678e in nsScriptLoader::OnStreamComplete (this=0x98e1be0, aLoader=0xf59e970, aContext=0xf5b5b00, aStatus=0, aStringLen=554538, aString=0xfd80000 "function e(a){throw a;}var g=true,h=null,j=false,n,aa=[];function ba(a){return function(){return aa[a].apply(this,arguments)}};var ca=ca||{},da=this;function p(a,b,c){a=a.split(\".\");c=c||da;!(a[0]in c"...) at /Users/roc/mozilla-checkin/content/base/src/nsScriptLoader.cpp:927 #12 0x035fa93f in nsStreamLoader::OnStopRequest (this=0xf59e970, request=0xf594150, ctxt=0xf5b5b00, aStatus=0) at /Users/roc/mozilla-checkin/netwerk/base/src/nsStreamLoader.cpp:127 #13 0x0361e807 in nsHTTPCompressConv::OnStopRequest (this=0xf8d1300, request=0xf594150, aContext=0xf5b5b00, aStatus=0) at /Users/roc/mozilla-checkin/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127 ... (gdb) p ::DumpJSStack() 0 p(c = [object Window @ 0xe6fb020 (native @ 0xe6fa0e0)], b = [function], a = ) ["https://docs.google.com/wrt/client/js/1369408591-EditPageModularized_editor_base_mod__en_gb.js":1] d = "BlogSettingsDlg" this = [object Window @ 0xe6fb020 (native @ 0xe6fa0e0)] 1 <TOP LEVEL> ["https://docs.google.com/wrt/client/js/1369408591-EditPageModularized_editor_base_mod__en_gb.js":844] this = [object Window @ 0xe6fb020 (native @ 0xe6fa0e0)] $1 = void (gdb) p *regs $3 = { pc = 0xf7ef98f "\006", sp = 0x221b4c74 } (gdb) p *innermost $4 = { <nanojit::SideExit> = { guards = 0x2163659c, from = 0x949e604, target = 0x0, switchInfo = 0x0 }, members of VMSideExit: block = 0x0, pc = 0xf7ef9b4 "T", imacpc = 0x0, sp_adj = 0, rp_adj = 0, calldepth = 0, numGlobalSlots = 1, numStackSlots = 7, numStackSlotsBelowCurrentFrame = 0, exitType = STATUS_EXIT, lookupFlags = 1, nativeCalleeWord = 0 }
Flags: blocking1.9.2?
Reporter | ||
Comment 1•15 years ago
|
||
This is changeset 2be4d13d8426+ (no JS engine patches applied, of course). Needless to say, turning off the JIT stops the crash.
Comment 2•15 years ago
|
||
see bug 519534
Comment 3•15 years ago
|
||
Can we dup this so people don't waste time diagnosing this? dvander?
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
You need to log in
before you can comment on or make changes to this bug.
Description
•