Closed
Bug 571744
Opened 14 years ago
Closed 14 years ago
TM: "Assertion failure: slot < (uint32)dslots[-1]," with delete, gc
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.3a5
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][critsmash:investigating] fixed-in-tracemonkey)
Attachments
(1 file)
|
2.37 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
for each(w in [0, 0, this]) {
w.y = NaN;
delete w.y;
gc()
}
asserts js debug shell on TM tip with -j at Assertion failure: slot < (uint32)dslots[-1], at ../jsobj.h:319
s-s because this involves gc. Assuming [sg:critical?] unless otherwise noted.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 42772:fc98415b2fad
user: Brendan Eich
date: Tue Jun 01 19:42:37 2010 -0700
summary: Trace JSOP_DEL{PROP,ELEM} (523452, r=gal).
===
(gdb) bt
#0 0x0012d422 in __kernel_vsyscall ()
#1 0x0013c230 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2 0x08166565 in JS_Assert (s=0x8239021 "slot < (uint32)dslots[-1]", file=0x8239016 "../jsobj.h", ln=319)
at ../jsutil.cpp:80
#3 0x081bae12 in JSObject::getSlotRef (this=0xb7a02000, slot=179) at ../jsobj.h:320
#4 0x081b8a19 in VisitGlobalSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, globalObj=0xb7a02000, ngslots=3,
gslots=0x829c0bc) at ../jstracer.cpp:1811
#5 0x081b8307 in VisitSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, globalObj=0xb7a02000, callDepth=0,
ngslots=3, gslots=0x829c0bc) at ../jstracer.cpp:1841
#6 0x081b7224 in VisitSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, callDepth=0, ngslots=3,
gslots=0x829c0bc) at ../jstracer.cpp:1849
#7 0x0818a9dd in js::TraceRecorder::snapshot (this=0x82a2f40, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4001
#8 0x0818b22a in js::TraceRecorder::guard (this=0x82a2f40, expected=true, cond=0x8270168, exitType=js::STATUS_EXIT)
at ../jstracer.cpp:4208
#9 0x081aa637 in js::TraceRecorder::record_NativeCallComplete (this=0x82a2f40) at ../jstracer.cpp:12911
#10 0x08201908 in js_Interpret (cx=0x829ce28) at ../jsops.cpp:2151
#11 0x080caf28 in js_Execute (cx=0x829ce28, chain=0xb7a02000, script=0x82a4628, down=0x0, flags=0, result=0x0)
at ../jsinterp.cpp:854
#12 0x0806c2cd in JS_ExecuteScript (cx=0x829ce28, obj=0xb7a02000, script=0x82a4628, rval=0x0) at ../jsapi.cpp:4608
#13 0x0804af1d in Process (cx=0x829ce28, obj=0xb7a02000, filename=0xbffff5ca "/home/netbook150/w15259-reduced.js",
forceTTY=0) at ../../shell/js.cpp:422
#14 0x0804bc1a in ProcessArgs (cx=0x829ce28, obj=0xb7a02000, argv=0xbffff408, argc=2) at ../../shell/js.cpp:836
#15 0x0805386a in shell (cx=0x829ce28, argc=2, argv=0xbffff408, envp=0xbffff414) at ../../shell/js.cpp:5018
#16 0x08053986 in main (argc=2, argv=0xbffff408, envp=0xbffff414) at ../../shell/js.cpp:5107
|
Assignee | |
Comment 1•14 years ago
|
||
Assertion failure: slot < (uint32)dslots[-1], at ../jsobj.h:319
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100156b6e in JS_Assert (s=0x1001eb958 "slot < (uint32)dslots[-1]", file=0x1001e9e28 "../jsobj.h", ln=319) at ../jsutil.cpp:77
77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */
(gdb) up
#1 0x00000001001aef79 in JSObject::getSlotRef (this=0x101402000, slot=179) at jsobj.h:320
320 dslots[slot - JS_INITIAL_NSLOTS]);
(gdb) l
315
316 jsval& getSlotRef(uintN slot) {
317 return (slot < JS_INITIAL_NSLOTS)
318 ? fslots[slot]
319 : (JS_ASSERT(slot < (uint32)dslots[-1]),
320 dslots[slot - JS_INITIAL_NSLOTS]);
321 }
322
323 jsval getSlot(uintN slot) const {
324 return (slot < JS_INITIAL_NSLOTS)
(gdb) p slot
$1 = 179
(gdb) up
#2 0x000000010017e51c in js::VisitGlobalSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, globalObj=0x101402000, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1811
1811 visitor.visitGlobalSlot(&globalObj->getSlotRef(slot), n, slot);
(gdb) up
#3 0x000000010017e97a in js::VisitSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, globalObj=0x101402000, callDepth=0, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1841
1841 VisitGlobalSlots(visitor, cx, globalObj, ngslots, gslots);
(gdb) up
#4 0x000000010017e9d3 in js::VisitSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, callDepth=0, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1849
1849 VisitSlots(visitor, cx, cx->fp->scopeChain->getGlobal(),
(gdb)
#5 0x000000010017f89f in js::TraceRecorder::snapshot (this=0x100415720, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4001
4001 tree->globalSlots->data());
(gdb)
#6 0x000000010018117f in js::TraceRecorder::guard (this=0x100415720, expected=true, cond=0x1008a9a30, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4208
4208 guard(expected, cond, snapshot(exitType));
(gdb)
#7 0x000000010019416b in js::TraceRecorder::record_NativeCallComplete (this=0x100415720) at ../jstracer.cpp:12911
12911 guard(true, lir->insEqI_0(status), STATUS_EXIT);
(gdb) up
#8 0x000000010009bfa2 in js_Interpret (cx=0x100412200) at jsops.cpp:2151
2151 TRACE_0(NativeCallComplete);
(gdb) p cx.regs.pc - script.code
$2 = 46
(gdb) p script.length
$3 = 54
(gdb) call js_Disassemble(cx, script, 0, __stdoutp)
00000: trace
main:
00001: newinit 3
00003: zero
00004: zero
00005: initelem
00006: one
00007: zero
00008: initelem
00009: int8 2
00011: this
00012: initelem
00013: endinit
00014: iter 3
00016: goto 48 (32)
00019: trace
00020: forname "w"
00023: name "w"
00026: name "NaN"
00029: setprop "y"
00032: pop
00033: name "w"
00036: delprop "y"
00039: pop
00040: callname "gc"
00043: call 0
00046: trace
00047: pop
00048: moreiter
00049: ifne 19 (-30)
00052: enditer
00053: stop
$4 = 1
(gdb) fr 1
#1 0x00000001001aef79 in JSObject::getSlotRef (this=0x101402000, slot=179) at jsobj.h:320
320 dslots[slot - JS_INITIAL_NSLOTS]);
(gdb) p dslots
$5 = (jsval *) 0x1008a3a08
(gdb) p dslots[-1]
$6 = 179
(gdb) p slot
$7 = 179
Deleting a global property upsets the trace recorder's idea of what is a valid global slot. I'm focusing on 558451 and could use a hand here -- cc'ing tracing friends. I'll get to this if no one else does.
One quick fix would be to abort on the global object at recording time, and bail at runtime.
/be|
|
Assignee | |
Updated•14 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5
(In reply to comment #1) The quick fix sounds best to me, and is consistent with other ways we handle indirectly modifying globals on trace.
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
|
|
Assignee | |
Comment 3•14 years ago
|
||
Attachment #453167 -
Flags: review?(dvander)
|
||
Updated•14 years ago
|
Attachment #453167 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/e20e6e032cc7 /be
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:critical?][critsmash:investigating] fixed-in-tracemonkey
|
|
||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e20e6e032cc7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
|
||
Comment 6•12 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
|
|
||
Comment 7•11 years ago
|
||
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•