Closed Bug 578000 Opened 14 years ago Closed 14 years ago

(64-bit) "Assertion failure: !sprop->parent," or "Assertion failure: !empty->emptyScope,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 576722
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: jorendorff)

Details

(Keywords: assertion, regression, testcase) 

try {
    for (; e;) {}
} catch(e) {}
try {
    for each(e in [Boolean(false), '', Boolean(false), false, false, 0, 0]) {
        gczeal(2)
        elseprint()
    }
} catch(e) {}
try {
    for each(b in [/x/, '', '', '', /x/]) {
        gc()
    }
    (evalcx('').x)
} catch(e) {}

asserts 64-bit shell on TM tip without -j at Assertion failure: !sprop->parent, at ../jspropertytree.cpp:752

(Pass this in as a CLI argument, e.g. ./js a.js)

Tested on TM changeset cf557e3fc53d.

Assertion failure: !sprop->parent, at ../jspropertytree.cpp:752

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010015d836 in JS_Assert (s=0x100201e1b "!sprop->parent", file=0x100201ca0 "../jspropertytree.cpp", ln=752) at ../jsutil.cpp:81
81          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x000000010015d836 in JS_Assert (s=0x100201e1b "!sprop->parent", file=0x100201ca0 "../jspropertytree.cpp", ln=752) at ../jsutil.cpp:81
#1  0x0000000100117377 in js::RemoveNodeIfDead (table=0x1004064e0, hdr=0x100515c58, number=14, arg=0x100511ba0) at ../jspropertytree.cpp:752
#2  0x000000010004c2bb in JS_DHashTableEnumerate (table=0x1004064e0, etor=0x100117327 <js::RemoveNodeIfDead(JSDHashTable*, JSDHashEntryHdr*, unsigned int, void*)>, arg=0x100511ba0) at ../jsdhash.cpp:743
#3  0x00000001001179c5 in js::SweepScopeProperties (cx=0x100511ba0) at ../jspropertytree.cpp:804
#4  0x000000010007fb7a in GC (cx=0x100511ba0) at ../jsgc.cpp:3367
#5  0x000000010007fc99 in GCUntilDone (cx=0x100511ba0, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3653
#6  0x000000010007fdd3 in js_GC (cx=0x100511ba0, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3707
#7  0x000000010007fed5 in LastDitchGC (cx=0x100511ba0) at ../jsgc.cpp:1737
#8  0x0000000100080895 in RefillFinalizableFreeList (cx=0x100511ba0, thingKind=0) at ../jsgc.cpp:1761
#9  0x0000000100080bfc in js_NewFinalizableGCThing (cx=0x100511ba0, thingKind=0) at ../jsgc.cpp:1849
#10 0x00000001000c5fbb in js_NewGCObject (cx=0x100511ba0) at jsgc.h:279
#11 0x00000001000c7eec in js::NewObjectWithGivenProto (cx=0x100511ba0, clasp=0x100279fe0, proto=0x0, parent=0x101402500) at jsobjinlines.h:756
#12 0x00000001000ce371 in js::NewObject (cx=0x100511ba0, clasp=0x100279fe0, proto=0x0, parent=0x101402500) at jsobjinlines.h:829
#13 0x00000001000ce498 in js_InitClass (cx=0x100511ba0, obj=0x101402500, parent_proto=0x0, clasp=0x100279fe0, constructor=0x1000cf068 <js_Object>, nargs=1, ps=0x10027a420, fs=0x10027a460, static_ps=0x0, static_fs=0x10027a5c0) at ../jsobj.cpp:3465
#14 0x00000001000ce9ee in js_InitObjectClass (cx=0x100511ba0, obj=0x101402500) at ../jsobj.cpp:3343
#15 0x000000010001b5c7 in js_InitFunctionAndObjectClasses (cx=0x100511ba0, obj=0x101402500) at ../jsapi.cpp:1226
#16 0x000000010001b7a4 in JS_InitStandardClasses (cx=0x100511ba0, obj=0x101402500) at ../jsapi.cpp:1271
#17 0x0000000100006de0 in NewSandbox (cx=0x100511ba0, lazy=false, split=false) at ../../shell/js.cpp:2939
#18 0x00000001000070ff in EvalInContext (cx=0x100511ba0, obj=0x101402000, argc=1, argv=0x1010001d0, rval=0x101000260) at ../../shell/js.cpp:2981
#19 0x00000001000b7291 in js::callJSNative (cx=0x100511ba0, native=0x100006f8d <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x101402000, argc=1, argv=0x1010001d0, rval=0x101000260) at jscntxtinlines.h:339
#20 0x00000001000b3830 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x100511ba0, fun=0x101405c40, script=0x0, native=0x100006f8d <EvalInContext(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0x7fff5fbfeeb0, flags=2) at jsinterp.cpp:591
#21 0x00000001000b61d8 in js_Invoke (cx=0x100511ba0, args=@0x7fff5fbfeeb0, flags=2) at jsinterp.cpp:693
#22 0x00000001000a26f7 in js_Interpret (cx=0x100511ba0) at jsops.cpp:2155
#23 0x00000001000b585f in js_Execute (cx=0x100511ba0, chain=0x101402000, script=0x100514f10, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#24 0x000000010001785e in JS_ExecuteScript (cx=0x100511ba0, obj=0x101402000, script=0x100514f10, rval=0x0) at ../jsapi.cpp:4751
#25 0x000000010000aa51 in Process (cx=0x100511ba0, obj=0x101402000, filename=0x7fff5fbff950 "sprop.js", forceTTY=0) at ../../shell/js.cpp:429
#26 0x000000010000b68b in ProcessArgs (cx=0x100511ba0, obj=0x101402000, argv=0x7fff5fbff7c0, argc=1) at ../../shell/js.cpp:843
#27 0x000000010000b773 in shell (cx=0x100511ba0, argc=1, argv=0x7fff5fbff7c0, envp=0x7fff5fbff7d0) at ../../shell/js.cpp:5025
#28 0x000000010000b86f in main (argc=1, argv=0x7fff5fbff7c0, envp=0x7fff5fbff7d0) at ../../shell/js.cpp:5112
try {
    for (; e;) {}
} catch(e) {}
try {
    for each(e in [0, '', 0, false, false, (1), [1]]) {
        gczeal(2)
        elseprint()
    }
} catch(e) {}
try {
    for each(b in [/x/, '', '', '', /x/]) {
        gc()
    }
    (evalcx('').x)
} catch(e) {}

is a variant that asserts at Assertion failure: !empty->emptyScope, at ../jsscopeinlines.h:192
I get the same for the jsapi tests with gczeal:

testExtendedEq_bug530489
Assertion failure: !empty->emptyScope, at ../jsscopeinlines.h:192

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x000000010015d126 in JS_Assert (s=0x1001fade7 "!empty->emptyScope", file=0x1001ffc88 "../jsscopeinlines.h", ln=192) at ../jsutil.cpp:81
81	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x000000010015d126 in JS_Assert (s=0x1001fade7 "!empty->emptyScope", file=0x1001ffc88 "../jsscopeinlines.h", ln=192) at ../jsutil.cpp:81
#1  0x00000001000d3ddd in JSScope::trace (this=0x1005142e0, trc=0x7fff5fbff220) at jsscopeinlines.h:192
#2  0x00000001000c59b5 in js_TraceObject (trc=0x7fff5fbff220, obj=0x101402000) at ../jsobj.cpp:6149
#3  0x000000010007a296 in JS_TraceChildren (trc=0x7fff5fbff220, thing=0x101402000, kind=0) at ../jsgc.cpp:2086
#4  0x000000010007a899 in js_CallGCMarker (trc=0x7fff5fbff220, thing=0x101402000, kind=0) at ../jsgc.cpp:2356
#5  0x0000000100011687 in JS_CallTracer (trc=0x7fff5fbff220, thing=0x101402000, kind=0) at ../jsapi.cpp:2038
#6  0x000000010007ac91 in js_TraceContext (trc=0x7fff5fbff220, acx=0x100511420) at ../jsgc.cpp:2642
#7  0x000000010007d0e5 in js_TraceRuntime (trc=0x7fff5fbff220) at ../jsgc.cpp:2688
#8  0x000000010007d2ba in GC (cx=0x100511420) at ../jsgc.cpp:3269
#9  0x000000010007d5b1 in GCUntilDone (cx=0x100511420, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3653
#10 0x000000010007d6eb in js_GC (cx=0x100511420, gckind=GC_LOCK_HELD) at ../jsgc.cpp:3707
#11 0x000000010007d7ed in LastDitchGC (cx=0x100511420) at ../jsgc.cpp:1737
#12 0x000000010007e1ad in RefillFinalizableFreeList (cx=0x100511420, thingKind=3) at ../jsgc.cpp:1761
#13 0x000000010007e514 in js_NewFinalizableGCThing (cx=0x100511420, thingKind=3) at ../jsgc.cpp:1849
#14 0x000000010013f64f in js_NewGCString (cx=0x100511420) at jsgc.h:285
#15 0x000000010013ffd3 in js_NewString (cx=0x100511420, chars=0x10051c110, length=4) at ../jsstr.cpp:3075
#16 0x000000010014025f in js_NewStringCopyN (cx=0x100511420, s=0x7fff5fbff670, n=4) at ../jsstr.cpp:3194
#17 0x0000000100035fa3 in js_AtomizeString (cx=0x100511420, str=0x7fff5fbff6b0, flags=8) at ../jsatom.cpp:774
#18 0x000000010003624b in js_Atomize (cx=0x100511420, bytes=0x1001ea95d "obj1", length=4, flags=0) at ../jsatom.cpp:851
#19 0x000000010001786e in DefineProperty (cx=0x100511420, obj=0x101402000, name=0x1001ea95d "obj1", value=4315949632, getter=0, setter=0, attrs=0, flags=0, tinyid=0) at ../jsapi.cpp:3297
#20 0x0000000100017af5 in JS_DefineObject (cx=0x100511420, obj=0x101402000, name=0x1001ea95d "obj1", clasp=0x100274ae0, proto=0x0, attrs=0) at ../jsapi.cpp:3367
#21 0x000000010000837a in cls_testExtendedEq_bug530489::run (this=0x100286200) at ../../jsapi-tests/testExtendedEq.cpp:37
#22 0x00000001000048e2 in main (argc=1, argv=0x7fff5fbff940) at ../../jsapi-tests/tests.cpp:63
Taking (but brendan, if you can tell what the bug is from the stack, please do steal).
Assignee: general → jorendorff
The compartment is being collected prematurely. Looking closer.
Gary, can you confirm this is fixed?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
I still get the assertion on tip with gczeal enabled for jsapi tests:
testExtendedEq_bug530489
Assertion failure: !empty->emptyScope, at ../jsscopeinlines.h:192
make[1]: *** [check] Segmentation fault
(In reply to comment #6)
> I still get the assertion on tip with gczeal enabled for jsapi tests:
> testExtendedEq_bug530489
> Assertion failure: !empty->emptyScope, at ../jsscopeinlines.h:192
> make[1]: *** [check] Segmentation fault

Gregor, your issue might be a different bug - my testcases seem to have evalcx, which yours does not, moreover they seem to have been fixed, as indicated by Jason.

Perhaps split off into a new bug?
blocking2.0: ? → betaN+
You need to log in before you can comment on or make changes to this bug.