549951 - TM: Assertion failure: JSVAL_IS_INT(v), at ../jsapi.h:242

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gregor Wagner [:gwagner]]

in the Debug shell for:

test();

function test()
{
 
  function generate_big_object_graph()
  {
    var root = {};
    f(root, 17);
    return root;
    function f(parent, depth) {
      if (depth == 0) 
          return;
      --depth;

      f(parent.a = {}, depth);
      f(parent.b = {}, depth);
    }
  }

  function f(obj) {
    with (obj)
      return arguments;
  }

  for (var i = 0; i != 10; ++i) {
    gc();
  
    var start = Date.now();
    x = null;
    x = f(generate_big_object_graph());
    var create_end = Date.now();
    gc();
  
    var fullgc_end = Date.now();
    x = null;
    gc();
  
    var emptygc_end = Date.now();
  var actual = "";
  actual = " alloc: "+(create_end - start)+
  "\n used : "+(fullgc_end - create_end) + 
  "\n free : "+(emptygc_end - fullgc_end);
   
  print(actual);
  
  }

}

GDB:
Assertion failure: JSVAL_IS_INT(v), at ../jsapi.h:242

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010013d8fb in JS_Assert (s=0x1001c2860 "JSVAL_IS_INT(v)", file=0x1001caf58 "../jsapi.h", ln=242) at ../jsutil.cpp:73
73	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x000000010013d8fb in JS_Assert (s=0x1001c2860 "JSVAL_IS_INT(v)", file=0x1001caf58 "../jsapi.h", ln=242) at ../jsutil.cpp:73
#1  0x0000000100065141 in JSVAL_TO_INT (v=4298790532) at jsapi.h:242
#2  0x000000010006be27 in CallPropertyOp (cx=0x10087ea00, obj=0x102b32480, id=4298790532, vp=0x7fff5fbfef68, kind=JSCPK_ARGUMENTS, setter=0) at ../jsfun.cpp:1022
#3  0x000000010006c89d in GetCallArguments (cx=0x10087ea00, obj=0x102b32480, id=4298790532, vp=0x7fff5fbfef68) at ../jsfun.cpp:1095
#4  0x00000001000c3dee in JSScopeProperty::get (this=0x100881b40, cx=0x10087ea00, obj=0x102b32480, pobj=0x102b32480, vp=0x7fff5fbfef68) at jsscope.h:922
#5  0x00000001000b844b in js_NativeGet (cx=0x10087ea00, obj=0x102b32480, pobj=0x102b32480, sprop=0x100881b40, getHow=0, vp=0x7fff5fbfef68) at ../jsobj.cpp:4977
#6  0x00000001000927ea in js_Interpret (cx=0x10087ea00) at jsops.cpp:2349
#7  0x00000001000a539c in js_Execute () at jsinterp.cpp:1666
#8  0x0000000100010f05 in JS_ExecuteScript (cx=0x10087ea00, obj=0x1003a3000, script=0x100414820, rval=0x0) at ../jsapi.cpp:4808
#9  0x0000000100009424 in Process (cx=0x10087ea00, obj=0x1003a3000, filename=0x7fff5fbffaa8 "../../../../tests/reg.js", forceTTY=0) at ../../shell/js.cpp:447
#10 0x000000010000a06c in ProcessArgs (cx=0x10087ea00, obj=0x1003a3000, argv=0x7fff5fbff998, argc=1) at ../../shell/js.cpp:860
#11 0x000000010000a383 in main (argc=1, argv=0x7fff5fbff998, envp=0x7fff5fbff9a8) at ../../shell/js.cpp:4878

Comment 1

[Gregor Wagner [:gwagner]]

first bad revision:
changeset:   38540:47c36f454846
user:        Brendan Eich <brendan@mozilla.org>
date:        Tue Mar 02 17:30:54 2010 -0800
summary:     Bug 549617 - JS_EvaluateUCInStackFrame doesn't see variables in flat closure (r=mrbkap).

Comment 2

[Brendan Eich [:brendan]]

D'oh -- cc'ing mrbkap for review help.

/be

Comment 3

[Brendan Eich [:brendan]]

Attachment: fix

Comment 4

[Brendan Eich [:brendan]]

Reorganized the code, forgot we eliminated arguments' tinyid long ago. The extra test shouldn't hurt since we almost always want i computed from id and the branch around this code should be predicted not taken.

/be

Comment 5

[Brendan Eich [:brendan]]

http://hg.mozilla.org/tracemonkey/rev/17ce5c6c65f2

/be

Comment 6

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/17ce5c6c65f2