Closed Bug 564344 Opened 15 years ago Closed 15 years ago

Crash or "Assertion failure: slot < (this)->scope()->freeslot, at ../jsscope.h:563" @ JSObject::getSlot(unsigned int) when redefining property

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla1.9.3a5

People

(Reporter: aja+bugzilla, Assigned: jorendorff)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 2 obsolete files)

http://crash-stats.mozilla.com/report/index/b79e0754-8d65-463c-b54a-da5c62100506 crash stats showing these began on may 4th sometime...and is now in top 20
Version: unspecified → Trunk
Signature JSObject::getSlot(unsigned int) UUID b79e0754-8d65-463c-b54a-da5c62100506 Time 2010-05-06 18:08:07.619756 Uptime 11135 Last Crash 3878863 seconds before submission Product Firefox Version 3.7a5pre Build ID 20100506040636 Branch 1.9.3 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 15 model 1 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0xffffffffffffffe8 User Comments Crashing Thread Frame Module Signature [Expand] Source 0 mozjs.dll JSObject::getSlot js/src/jsobj.h:310 1 mozjs.dll JSScope::methodWriteBarrier js/src/jsscopeinlines.h:152 2 mozjs.dll js_DefineNativeProperty 3 mozjs.dll js_DefineProperty js/src/jsobj.cpp:4096 4 mozjs.dll JS_DefinePropertyById js/src/jsapi.cpp:2958 5 xul.dll DefinePropertyIfFound js/src/xpconnect/src/xpcwrappednativejsops.cpp:534 6 xul.dll XPC_WN_NoHelper_Resolve js/src/xpconnect/src/xpcwrappednativejsops.cpp:805 7 mozjs.dll js_LookupPropertyWithFlags js/src/jsobj.cpp:4406
Severity: normal → critical
Keywords: crash
Guessing this began with t-m -> m-c merge on 4th: http://hg.mozilla.org/mozilla-central/rev/13bcf4386e12
Another crash, this time within approx 5 mins after watching a 45min movie on Hulu. Wonder - could be related to some sort of cycle-collection/garbage-collection maybe: http://crash-stats.mozilla.com/report/index/bp-034c735a-5eb0-4d62-94f4-47cb52100509
topcrash? active in latest nightly, hitting this frequently
Attached image crash screenshot
Blocks: 560998
Attached patch proposal (obsolete) — Splinter Review
I haven't run this through tests and am not quite sure about the context, locking rules, or fallbacks. But I think this is along the right lines. since this is jorendorff's code, i'm tossing this to him, if he doesn't like it, he's welcome to take the bug.
Assignee: general → timeless
Status: NEW → ASSIGNED
Attachment #444370 - Flags: review?(jorendorff)
this crash is occuring much more while my net is capped and there are pages taking longer than usual to load fully.
Assignee: timeless → jorendorff
BEGIN_TEST(testDefineProperty_bug564344) { jsvalRoot x(cx); EVAL("function f() {}\n" "var x = {p: f};\n" "x.p(); // brand x's scope\n" "x;", x.addr()); JSObject *obj = JSVAL_TO_OBJECT(x.value()); for (int i = 0; i < 2; i++) CHECK(JS_DefineProperty(cx, obj, "q", JSVAL_VOID, NULL, NULL, JSPROP_SHARED)); return true; } END_TEST(testDefineProperty_bug564344) Assertion failure: slot < (this)->scope()->freeslot, at ../jsscope.h:563
Comment on attachment 444370 [details] [diff] [review] proposal Thanks for bothering to patch, but this isn't what we want.
Attachment #444370 - Flags: review?(jorendorff) → review-
Attached patch v1 (obsolete) — Splinter Review
My mistake.
Attachment #444370 - Attachment is obsolete: true
Attachment #444429 - Flags: review?(brendan)
Attachment #444429 - Flags: review?(brendan) → review+
Summary: Crash Report [@ JSObject::getSlot(unsigned int) ] → Crash or "Assertion failure: slot < (this)->scope()->freeslot, at ../jsscope.h:563" @ JSObject::getSlot(unsigned int) when redefining property
Keywords: regression, testcase
Attached patch v2Splinter Review
Carrying forward brendan's r+. v1 had some tab characters in it -- oops. Here's the patch with that fixed and a nice commit message, suitable for hg import or whatever, in case someone wants to push this tonight. It can go into either m-c or tracemonkey. I consider the change very safe.
Attachment #444429 - Attachment is obsolete: true
Attachment #444512 - Flags: review+
Whiteboard: checkin-needed
Whiteboard: checkin-needed → fixed-in-tracemonkey
Blocks: 559957
Depends on: 564572
Blocks: 564572
No longer depends on: 564572
I transplanted the above changeset to mozilla-central: http://hg.mozilla.org/mozilla-central/rev/94591caa7f0c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: