TM: "Assertion failure: !f->typeMap.matches(peer->typeMap),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(status2.0 unaffected, status1.9.2 ?)

Details

(Reporter)

Description

8 years ago
eval("\
  for each(d in[0,0,0,0,0,0,0,0,0,0,0,0]) {\
    (function f(aaaaaa,bbbbbb){\
      return aaaaaa.length==bbbbbb?0:aaaaaa[bbbbbb]+f(aaaaaa,bbbbbb+1)\
    })\
    ([,,true,'',,(0),(0/0),new Number,true,Number()],0)\
  }\
")

asserts js debug shell on TM tip with -j at Assertion failure: !f->typeMap.matches(peer->typeMap), at ../jstracer.cpp:1514

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb5d in JS_Assert (s=0x1f7224 "!f->typeMap.matches(peer->typeMap)", file=0x1f6415 "../jstracer.cpp", ln=1514) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb5d in JS_Assert (s=0x1f7224 "!f->typeMap.matches(peer->typeMap)", file=0x1f6415 "../jstracer.cpp", ln=1514) at ../jsutil.cpp:77
#1  0x0017577a in js::AssertTreeIsUnique (tm=0x8375c4, f=0x86fa04) at ../jstracer.cpp:1514
#2  0x0018fc2b in js::RecordTree (cx=0x809200, first=0x86f204, outer=0x0, outerArgc=0, globalSlots=0x85f414, reason=js::Record_Branch) at ../jstracer.cpp:5617
#3  0x00190282 in js::AttemptToStabilizeTree (cx=0x809200, globalObj=0x1002000, exit=0x874b94, outer=0x0, outerArgc=0) at ../jstracer.cpp:5758
#4  0x00190f3d in js::MonitorLoopEdge (cx=0x809200, inlineCallCount=@0xbfffeaa8, reason=js::Record_EnterFrame) at ../jstracer.cpp:7036
#5  0x0009c276 in js_Interpret (cx=0x809200) at jsops.cpp:2130
#6  0x000ae3a3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cf70, down=0x500098, flags=16, result=0x5000e0) at jsinterp.cpp:891
#7  0x000cc64c in obj_eval () at ../jsobj.cpp:1305
#8  0x0009c537 in js_Interpret (cx=0x809200) at jsops.cpp:2145
#9  0x000ae3a3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40cc00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#10 0x00015f79 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40cc00, rval=0x0) at ../jsapi.cpp:4751
#11 0x00009636 in Process (cx=0x809200, obj=0x1002000, filename=0xbffff9c5 "w2457-reduced.js", forceTTY=0) at ../../shell/js.cpp:429
#12 0x0000a369 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff8d8, argc=2) at ../../shell/js.cpp:843
#13 0x0000a482 in shell (cx=0x809200, argc=2, argv=0xbffff8d8, envp=0xbffff8e4) at ../../shell/js.cpp:5025
#14 0x0000a5a6 in main (argc=2, argv=0xbffff8d8, envp=0xbffff8e4) at ../../shell/js.cpp:5112
(Reporter)

Comment 2

8 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   46551:57fdbfdcda13
parent:      46296:3348d89b43d3
parent:      46550:3b1c1d1fe7aa
user:        Robert Sayre
date:        Wed Jun 30 11:54:20 2010 -0700
summary:     Merge mozilla-central to tracemonkey.

(Strange that this seems related to a m-c to TM merge?)
(Reporter)

Comment 3

8 years ago
Here's a more possible regressing changeset:

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   46299:66d75f2240b0
user:        Andreas Gal
date:        Thu Jun 24 15:18:07 2010 -0700
summary:     Bug 571698 - TM: turn off int/double speculation when we record many peer trees
Blocks: 571698
(Reporter)

Comment 4

8 years ago
I did a m-c autoBisect and it confirms comment #3.
(Reporter)

Updated

8 years ago
Summary: "Assertion failure: !f->typeMap.matches(peer->typeMap)," → TM: "Assertion failure: !f->typeMap.matches(peer->typeMap),"

Updated

8 years ago
Assignee: general → gal
blocking2.0: ? → beta5+
(Reporter)

Comment 5

8 years ago
projects/jaegermonkey 64-bit debug js shells hit this assertion in jsfunfuzz very often. :(
Gary, this bug has to do with tracerecursion which is removed in JM. You're seeing bug 586141.
(Reporter)

Comment 7

8 years ago
(In reply to comment #6)
> Gary, this bug has to do with tracerecursion which is removed in JM. You're
> seeing bug 586141.

Yup, you're right..

Updated

8 years ago
blocking2.0: beta5+ → beta6+

Updated

8 years ago
blocking2.0: beta7+ → ---
status1.9.2: --- → ?
status2.0: --- → ?

Comment 8

8 years ago
Fixed by removing tracerecursion (bug 591539).
Status: NEW → RESOLVED
Last Resolved: 8 years ago
status2.0: ? → unaffected
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.