Closed Bug 547791 Opened 14 years ago Closed 14 years ago

Assertion Failure: memcmp(anchor->recursive_down, fi, sizeof(FrameInfo)) == 0

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dougt, Assigned: dvander)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

better fix
2.38 KB, patch
gal
: review+
Details | Diff | Splinter Review 
Using Fennec on GTK Desktop on the E10S branch, we are seeing this assertion:

#0  0xb76fc832 in ?? () from /lib/ld-linux.so.2
#1  0xb4b82a76 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2  0xb4b82891 in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0xb5989f45 in ah_crap_handler (signum=6) at /home/dougt/builds/e10s/electrolysis/toolkit/xre/nsSigHandlers.cpp:164
#4  0xb598e78e in nsProfileLock::FatalSignalHandler (signo=6, info=0xbf8c09dc, context=0xbf8c0a5c) at nsProfileLock.cpp:221
#5  <signal handler called>
#6  0xb76fc832 in ?? () from /lib/ld-linux.so.2
#7  0xb75fb4d1 in JS_Assert (s=0xb76ba110 "memcmp(anchor->recursive_down, fi, sizeof(FrameInfo)) == 0", 
    file=0xb76ba060 "/home/dougt/builds/e10s/electrolysis/js/src/jsrecursion.cpp", ln=144) at /home/dougt/builds/e10s/electrolysis/js/src/jsutil.cpp:75
#8  0xb7646ac8 in AssertDownFrameIsConsistent (cx=0xb0874000, anchor=0xab1dce9c, fi=0xbf8c0dd0) at /home/dougt/builds/e10s/electrolysis/js/src/jsrecursion.cpp:144
#9  0xb76470a7 in js::TraceRecorder::upRecursion (this=0xb1604800) at /home/dougt/builds/e10s/electrolysis/js/src/jsrecursion.cpp:250
#10 0xb7632702 in js::TraceRecorder::record_JSOP_RETURN (this=0xb1604800) at /home/dougt/builds/e10s/electrolysis/js/src/jstracer.cpp:10201
#11 0xb7626da2 in js::TraceRecorder::monitorRecording (this=0xb1604800, op=JSOP_RETURN) at /home/dougt/builds/e10s/electrolysis/js/src/jsopcode.tbl:118
#12 0xb75439d7 in js_Interpret (cx=0xb0874000) at /home/dougt/builds/e10s/electrolysis/js/src/jsops.cpp:78
#13 0xb756ded6 in js_Invoke (cx=0xb0874000, argc=2, vp=0xb0876020, flags=0) at /home/dougt/builds/e10s/electrolysis/js/src/jsinterp.cpp:1396
#14 0xb756e15c in js_InternalInvoke (cx=0xb0874000, obj=0xb171c920, fval=-1289239552, flags=0, argc=2, argv=0xab1770a8, rval=0xbf8c1580)
    at /home/dougt/builds/e10s/electrolysis/js/src/jsinterp.cpp:1453
#15 0xb74f0f8b in JS_CallFunctionValue (cx=0xb0874000, obj=0xb171c920, fval=-1289239552, argc=2, argv=0xab1770a8, rval=0xbf8c1580)
    at /home/dougt/builds/e10s/electrolysis/js/src/jsapi.cpp:5122
#16 0xb62c2c01 in nsJSContext::CallEventHandler (this=0xb08dbc00, aTarget=0xb429f5b0, aScope=0xb171c920, aHandler=0xb327c400, aargv=0xab13dc44, arv=0xbf8c16b8)
    at /home/dougt/builds/e10s/electrolysis/dom/base/nsJSEnvironment.cpp:2172
#17 0xb62fc9f8 in nsGlobalWindow::RunTimeout (this=0xb429f5b0, aTimeout=0xab176c80) at /home/dougt/builds/e10s/electrolysis/dom/base/nsGlobalWindow.cpp:8396
#18 0xb62fd64a in nsGlobalWindow::TimerCallback (aTimer=0xab176cc0, aClosure=0xab176c80) at /home/dougt/builds/e10s/electrolysis/dom/base/nsGlobalWindow.cpp:8740
#19 0xb6d8a1de in nsTimerImpl::Fire (this=0xab176cc0) at /home/dougt/builds/e10s/electrolysis/xpcom/threads/nsTimerImpl.cpp:427
#20 0xb6d8a415 in nsTimerEvent::Run (this=0xab13d0c0) at /home/dougt/builds/e10s/electrolysis/xpcom/threads/nsTimerImpl.cpp:519
#21 0xb6d83a70 in nsThread::ProcessNextEvent (this=0xb42d26a0, mayWait=1, result=0xbf8c186c)
    at /home/dougt/builds/e10s/electrolysis/xpcom/threads/nsThread.cpp:527
#22 0xb6d198b5 in NS_ProcessNextEvent_P (thread=0xb42d26a0, mayWait=1) at nsThreadUtils.cpp:250
#23 0xb6bb7487 in mozilla::ipc::MessagePump::Run (this=0xb4287610, aDelegate=0xb42298a0) at /home/dougt/builds/e10s/electrolysis/ipc/glue/MessagePump.cpp:142
#24 0xb6c96c2f in MessageLoop::RunInternal (this=0xb42298a0) at /home/dougt/builds/e10s/electrolysis/ipc/chromium/src/base/message_loop.cc:216
#25 0xb6c96bab in MessageLoop::RunHandler (this=0xb42298a0) at /home/dougt/builds/e10s/electrolysis/ipc/chromium/src/base/message_loop.cc:199
#26 0xb6c96b2f in MessageLoop::Run (this=0xb42298a0) at /home/dougt/builds/e10s/electrolysis/ipc/chromium/src/base/message_loop.cc:173
#27 0xb6a6b640 in nsBaseAppShell::Run (this=0xb0b3f6a0) at /home/dougt/builds/e10s/electrolysis/widget/src/xpwidgets/nsBaseAppShell.cpp:174
#28 0xb680631f in nsAppStartup::Run (this=0xb0917670) at /home/dougt/builds/e10s/electrolysis/toolkit/components/startup/src/nsAppStartup.cpp:183
#29 0xb597c77d in XRE_main (argc=1, argv=0xbf8c3074, aAppData=0xb4218380) at /home/dougt/builds/e10s/electrolysis/toolkit/xre/nsAppRunner.cpp:3489
#30 0x0804b63f in main (argc=1, argv=0xbf8c3074) at /home/dougt/builds/e10s/electrolysis/xulrunner/app/nsXULRunnerApp.cpp:463



(gdb) list
139	            (typeMap[i] == TT_DOUBLE && m1[i] == TT_INT32)) {
140	            continue;
141	        }
142	        JS_NOT_REACHED("invalid RECURSIVE_MISMATCH exit");
143	    }
144	    JS_ASSERT(memcmp(anchor->recursive_down, fi, sizeof(FrameInfo)) == 0);
145	}
146	#endif
147	
148	JS_REQUIRES_STACK VMSideExit*
(gdb) p anchor.recursive_down
$1 = (class js::FrameInfo *) 0xab1bb614
(gdb) p fi
$2 = (class js::FrameInfo *) 0xbf8c0dd0
(gdb) p *fi
$3 = {block = 0x0, pc = 0xb082875b ":", imacpc = 0x0, spdist = 6, argc = 0, callerHeight = 8, callerArgc = 0}
(gdb) p *anchor.recursive_down 
$4 = {block = 0xb3278a00, pc = 0xb082875b ":", imacpc = 0x0, spdist = 6, argc = 0, callerHeight = 8, callerArgc = 0}
(gdb) panchor-^CpQuit
(gdb) p anchor.numStackSlots
$5 = 7
(gdb) x/7bx anchor.recursive_down
0xab1bb614:	0x00	0x8a	0x27	0xb3	0x5b	0x87	0x82
(gdb) x/7bx anchor.recursive_downcp^C
There is no member or method named recursive_downcp.
(gdb) 
0xab1bb61b:	0xb0	0x00	0x00	0x00	0x00	0x06	0x00
(gdb) p fi->get_typemap()
$6 = (js::TraceType *) 0xbf8c0dec
(gdb) x/7bx $
0xbf8c0dec:	0x07	0x00	0x05	0x00	0x00	0x05	0x01
(gdb) x/7bx $2->get_typemap()
0xbf8c0dec:	0x07	0x00	0x05	0x00	0x00	0x05	0x01
(gdb) p cx.fp.script
$7 = (JSScript *) 0xb0828680
(gdb) p js_Disassemble1(cx, cx.fp.script, 1, stdout)
Too few arguments in function call.
(gdb) p js_Disassemble1(cx, cx.fp.scr^CpQuit, stdout)
(gdb) p js_Disassemble1
$8 = {uintN (JSContext *, JSScript *, jsbytecode *, uintN, JSBool, FILE *)} 0xb759649d <js_Disassemble1>
(gdb) p js_Disassemble1(cx, cx.fp.script, 1, 1, stdout)
Too few arguments in function call.
(gdb) p js_Disassemble1(cx, cx.fp.script, cx.fp.script.code, 1, 1, stdout)
$9 = 1
(gdb) p js_Disassemble1(cx, cx.fp^Ccript, cx.fp.script.code, 1, 1, stdout)
$10 = 1
(gdb) p js_Disassemble(cx, cx.fp.script, 1, stdout)
$11 = 1
(gdb) call js_Disassemble(cx, cx.fp.script, 1, stdout)
$12 = 1
(gdb) call js_Disassemble(cx, cx.fp.script, 1, stderr)
$13 = 1
(gdb) p cx.fp.script.filename
$14 = 0xb0c69291 "chrome://browser/content/TileManager.js"
(gdb) p cx.fp.script.lineno
$15 = 742


js_Disassemble stdout :

00001: 742  trace
00001: 742  trace
main:
00000: 742  trace
00001: 745  this
00002: 745  getprop "_crawlQueue"
00005: 745  callprop "pop"
00008: 745  call 0
00011: 745  trace
00012: 745  or 23 (11)
00015: 745  this
00016: 745  callprop "dequeue"
00019: 745  call 0
00022: 745  trace
00023: 745  setlocal 0
00026: 745  pop
00027: 746  null
00028: 746  setlocal 1
00031: 746  pop
00032: 747  getlocal 0
00035: 747  ifeq 126 (91)
00038: 747  enterblock depth 0 {j: 1, i: 0}
00041: 748  getlocal 0
00044: 748  dup
00045: 748  zero
00046: 748  getelem
00047: 748  setlocalpop 2
00050: 748  dup
00051: 748  one
00052: 748  getelem
00053: 748  setlocalpop 3
00056: 748  pop
00057: 751  this
00058: 751  getprop "_tileCache"
00061: 751  callprop "getTile"
00064: 751  getlocal 2
00067: 751  getlocal 3
00070: 751  true
00071: 751  getthisprop "_notVisited"
00074: 751  call 4
00077: 751  trace
00078: 751  setlocal 1
00081: 751  pop
00082: 752  getlocal 1
00085: 752  ifeq 111 (26)
00088: 753  getthisprop "_visited"
00091: 753  this
00092: 753  callprop "_strIndices"
00095: 753  getlocal 2
00098: 753  getlocal 3
00101: 753  call 2
00104: 753  trace
00105: 753  true
00106: 753  setelem
00107: 753  pop
00108: 753  goto 123 (15)
00111: 755  this
00112: 755  callprop "next"
00115: 755  call 0
00118: 755  trace
00119: 755  setlocal 1
00122: 755  pop
00123: 755  leaveblock 2
00126: 758  getlocal 1
00129: 758  return
00130: 758  stop
main:
00000: 742  trace
00001: 745  this
00002: 745  getprop "_crawlQueue"
00005: 745  callprop "pop"
00008: 745  call 0
00011: 745  trace
00012: 745  or 23 (11)
00015: 745  this
00016: 745  callprop "dequeue"
00019: 745  call 0
00022: 745  trace
00023: 745  setlocal 0
00026: 745  pop
00027: 746  null
00028: 746  setlocal 1
00031: 746  pop
00032: 747  getlocal 0
00035: 747  ifeq 126 (91)
00038: 747  enterblock depth 0 {j: 1, i: 0}
00041: 748  getlocal 0
00044: 748  dup
00045: 748  zero
00046: 748  getelem
00047: 748  setlocalpop 2
00050: 748  dup
00051: 748  one
00052: 748  getelem
00053: 748  setlocalpop 3
00056: 748  pop
00057: 751  this
00058: 751  getprop "_tileCache"
00061: 751  callprop "getTile"
00064: 751  getlocal 2
00067: 751  getlocal 3
00070: 751  true
00071: 751  getthisprop "_notVisited"
00074: 751  call 4
00077: 751  trace
00078: 751  setlocal 1
00081: 751  pop
00082: 752  getlocal 1
00085: 752  ifeq 111 (26)
00088: 753  getthisprop "_visited"
00091: 753  this
00092: 753  callprop "_strIndices"
00095: 753  getlocal 2
00098: 753  getlocal 3
00101: 753  call 2
00104: 753  trace
00105: 753  true
00106: 753  setelem
00107: 753  pop
00108: 753  goto 123 (15)
00111: 755  this
00112: 755  callprop "next"
00115: 755  call 0
00118: 755  trace
00119: 755  setlocal 1
00122: 755  pop
00123: 755  leaveblock 2
00126: 758  getlocal 1
00129: 758  return
00130: 758  stop
main:
00000: 742  trace
00001: 745  this
00002: 745  getprop "_crawlQueue"
00005: 745  callprop "pop"
00008: 745  call 0
00011: 745  trace
00012: 745  or 23 (11)
00015: 745  this
00016: 745  callprop "dequeue"
00019: 745  call 0
00022: 745  trace
00023: 745  setlocal 0
00026: 745  pop
00027: 746  null
00028: 746  setlocal 1
00031: 746  pop
00032: 747  getlocal 0
00035: 747  ifeq 126 (91)
00038: 747  enterblock depth 0 {j: 1, i: 0}
00041: 748  getlocal 0
00044: 748  dup
00045: 748  zero
00046: 748  getelem
00047: 748  setlocalpop 2
00050: 748  dup
00051: 748  one
00052: 748  getelem
00053: 748  setlocalpop 3
00056: 748  pop
00057: 751  this
00058: 751  getprop "_tileCache"
00061: 751  callprop "getTile"
00064: 751  getlocal 2
00067: 751  getlocal 3
00070: 751  true
00071: 751  getthisprop "_notVisited"
00074: 751  call 4
00077: 751  trace
00078: 751  setlocal 1
00081: 751  pop
00082: 752  getlocal 1
00085: 752  ifeq 111 (26)
00088: 753  getthisprop "_visited"
00091: 753  this
00092: 753  callprop "_strIndices"
00095: 753  getlocal 2
00098: 753  getlocal 3
00101: 753  call 2
00104: 753  trace
00105: 753  true
00106: 753  setelem
00107: 753  pop
00108: 753  goto 123 (15)
00111: 755  this
00112: 755  callprop "next"
00115: 755  call 0
00118: 755  trace
00119: 755  setlocal 1
00122: 755  pop
00123: 755  leaveblock 2
00126: 758  getlocal 1
00129: 758  return
00130: 758  stop


Code being traced/run:


next: function next() {
    // Priority for next goes to the crawl queue, dirty tiles afterwards. Since dirty
    // tile queue does not really have a necessary order, pop off the top.
    let coords = this._crawlQueue.pop() || this.dequeue();
    let tile = null;
    if (coords) {
      let [i, j] = coords;
      // getTile will create a tile only if there are any left in our capacity that have not been
      // visited already by the crawler.
      tile = this._tileCache.getTile(i, j, true, this._notVisited);
      if (tile) {
        this._visited[this._strIndices(i, j)] = true;
      } else {
        tile = this.next();
      }
    }
    return tile;
  },
Assignee: general → dvander
Attached patch fix (obsolete) — Splinter Review 
think-o. Explanation: this code attempts to "guess" the down frame's FrameInfo structure. There's an assert that the guess is correct. However it was using the current frame's blockChain, not the down frame's blockChain.
Attachment #428282 - Flags: review?(gal)
Attachment #428282 - Flags: review?(gal) → review+
Attached patch better fixSplinter Review 
Bleh, of course after pushing that I realized it's probably not the best fix. It doesn't make sense for recursion to just pop block objects at all. We don't even trace JSOP_LEAVEBLOCK.

This fix is better, we just shouldn't trace recursion when a block chain is present.
Attachment #428282 - Attachment is obsolete: true
Attachment #428362 - Flags: review?(gal)
Attachment #428362 - Flags: review?(gal) → review+
http://hg.mozilla.org/mozilla-central/rev/fc4d0d62691d
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: