576737 - TM: "Assertion failure: !JSVAL_IS_NULL(id),"

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    (x = {})();
} catch(e) {}
try {
    for (a in [0]) {
        gczeal(1);
    }
    print(7);
    <{x}><ccc:ddd></ccc:ddd></{x}>
} catch(e) {}
evalcx("");

asserts js debug shell on TM tip with -j at Assertion failure: !JSVAL_IS_NULL(id), at ../jsscope.cpp:412 when the testcase is passed into the shell as a CLI argument.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

s-s and assuming [sg:critical?] because this involves gczeal.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Tested with TM changeset:

http://hg.mozilla.org/tracemonkey/rev/28de8731f08c

===

Assertion failure: !JSVAL_IS_NULL(id), at ../jsscope.cpp:412

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb31 in JS_Assert (s=0x1f303c "!JSVAL_IS_NULL(id)", file=0x1f40fd "../jsscope.cpp", ln=412) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb31 in JS_Assert (s=0x1f303c "!JSVAL_IS_NULL(id)", file=0x1f40fd "../jsscope.cpp", ln=412) at ../jsutil.cpp:77
#1  0x00128403 in JSScope::searchTable (this=0x40d920, id=0, adding=true) at ../jsscope.cpp:412
#2  0x00027a37 in JSScope::search (this=0x40d920, id=0, adding=true) at jsscope.h:969
#3  0x001293b5 in JSScope::changeTable (this=0x40d920, cx=0x865200, change=1) at ../jsscope.cpp:525
#4  0x0012a308 in JSScope::addPropertyHelper (this=0x40d920, cx=0x865200, id=16779076, getter=0, setter=0, slot=4294967295, attrs=0, flags=0, shortid=0, spp=0x40a9a4) at ../jsscope.cpp:864
#5  0x0012a624 in JSScope::putProperty (this=0x40d920, cx=0x865200, id=16779076, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, slot=4294967295, attrs=0, flags=0, shortid=0) at ../jsscope.cpp:931
#6  0x000c4a33 in js_DefineNativeProperty (cx=0x865200, obj=0x10022a0, id=16779076, value=16797752, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0, flags=0, shortid=0, propp=0x0, defineHow=0) at ../jsobj.cpp:4306
#7  0x000c4cde in js_DefineProperty (cx=0x865200, obj=0x10022a0, id=16779076, value=16797752, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0) at ../jsobj.cpp:4170
#8  0x00025fa4 in JSObject::defineProperty (this=0x10022a0, cx=0x865200, id=16779076, value=16797752, getter=0xf962 <JS_PropertyStub>, setter=0xf962 <JS_PropertyStub>, attrs=0) at jsobj.h:656
#9  0x0006de3e in js_DefineFunction (cx=0x865200, obj=0x10022a0, atom=0x1000744, native=0xcaf64 <js_obj_defineSetter>, nargs=2, attrs=2048) at ../jsfun.cpp:2552
#10 0x00016dbd in JS_DefineFunction (cx=0x865200, obj=0x10022a0, name=0x1ef63e "__defineSetter__", call=0xcaf64 <js_obj_defineSetter>, nargs=2, attrs=6144) at ../jsapi.cpp:4373
#11 0x00018379 in JS_DefineFunctions (cx=0x865200, obj=0x10022a0, fs=0x20a5e0) at ../jsapi.cpp:4358
#12 0x000c75bc in js_InitClass (cx=0x865200, obj=0x10022c0, parent_proto=0x0, clasp=0x20a300, constructor=0xc7db0 <js_Object>, nargs=1, ps=0x20a520, fs=0x20a540, static_ps=0x0, static_fs=0x20a620) at ../jsobj.cpp:3542
#13 0x000c776e in js_InitObjectClass (cx=0x865200, obj=0x10022c0) at ../jsobj.cpp:3351
#14 0x00019ac7 in js_InitFunctionAndObjectClasses (cx=0x865200, obj=0x10022c0) at ../jsapi.cpp:1226
#15 0x00019cca in JS_InitStandardClasses (cx=0x865200, obj=0x10022c0) at ../jsapi.cpp:1271
#16 0x0000596b in NewSandbox (cx=0x865200, lazy=false, split=false) at ../../shell/js.cpp:2939
#17 0x00005c56 in EvalInContext (cx=0x865200, obj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at ../../shell/js.cpp:2981
#18 0x000afc45 in js::callJSNative (cx=0x865200, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1002000, argc=1, argv=0x5000e8, rval=0x500130) at jscntxtinlines.h:339
#19 0x000ac3a1 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x865200, fun=0x1003e00, script=0x0, native=0x5b01 <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0xbffff2cc, flags=2) at jsinterp.cpp:591
#20 0x000aebfa in js_Invoke (cx=0x865200, args=@0xbffff2cc, flags=2) at jsinterp.cpp:693
#21 0x0009c595 in js_Interpret (cx=0x865200) at jsops.cpp:2155
#22 0x000ae293 in js_Execute (cx=0x865200, chain=0x1002000, script=0x40d1f0, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#23 0x00015e69 in JS_ExecuteScript (cx=0x865200, obj=0x1002000, script=0x40d1f0, rval=0x0) at ../jsapi.cpp:4751
#24 0x00009526 in Process (cx=0x865200, obj=0x1002000, filename=0xbffff9cd "w3309-cj-in.js", forceTTY=0) at ../../shell/js.cpp:429
#25 0x0000a259 in ProcessArgs (cx=0x865200, obj=0x1002000, argv=0xbffff8e0, argc=2) at ../../shell/js.cpp:843
#26 0x0000a372 in shell (cx=0x865200, argc=2, argv=0xbffff8e0, envp=0xbffff8ec) at ../../shell/js.cpp:5025
#27 0x0000a496 in main (argc=2, argv=0xbffff8e0, envp=0xbffff8ec) at ../../shell/js.cpp:5112

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

http://hg.mozilla.org/tracemonkey/rev/49abcb57270a :

$ ./js-dbg-32-tm-linux ../576734.js 
Segmentation fault
$

http://hg.mozilla.org/tracemonkey/rev/cfdbd2d27b5f (the next changeset, i.e.
the patch from bug 576722) :

$ ./js-dbg-32-tm-linux ../576734.js 
$

Seems to be fixed by bug 576722.

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to comment #3)
> $ ./js-dbg-32-tm-linux ../576734.js 

... where of course I meant "../576737.js"

Comment 5

[Daniel Veditz [:dveditz]]

Doesn't seem to affect the 1.9.2/1.9.1 branches

Comment 6

[Christian Holler (:decoder)]

Tracer has been long gone on trunk, marking verified. Also opening this, as it does not affect 1.9.x branches and has been long fixed.

Comment 7

[Christian Holler (:decoder)]

Filter on qa-project-auto-change:

Bug in removed tracer code, setting in-testsuite- flag.

Comment 8

[Joshua Mitchell (Inactive)]

Issue is resolved - clearing old keywords - qa-wanted clean-up