579279 - TM: Crash [@ NamespaceHelper] or "Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE," or "Assertion failure: l.s.tag < JSVAL_TAG_CLEAR,"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

try {
    for (m = 0; m < 1; m++) {
        b = m; ( * )
    }
    var x = /x/
} catch(e) {}
for (var z = 0; z < 7; ++z) {
    x %= b
}
default xml namespace = ( - ((a) = x))

asserts js debug shell on TM tip with -j at Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE, at ../jsval.h:499 and crashes js opt shell on TM tip with -j at NamespaceHelper

(Tested on 64-bit Mac OS X 10.6)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100165169 in JS_Assert (s=0x1001f8090 "l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE", file=0x1001ff970 "../jsval.h", ln=499) at ../jsutil.cpp:81
81          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0000000100165169 in JS_Assert (s=0x1001f8090 "l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE", file=0x1001ff970 "../jsval.h", ln=499) at ../jsutil.cpp:81
#1  0x0000000100011ac8 in DOUBLE_TO_JSVAL_IMPL (d=-nan(0xfffffffffffff)) at jsval.h:499
#2  0x00000001000292db in js::Value::setDouble (this=0x1010001b0, d=-nan(0xfffffffffffff)) at jsvalue.h:343
#3  0x000000010009cd66 in js::Interpret (cx=0x100511b80) at ../jsinterp.cpp:3626
#4  0x00000001000b808b in js::Execute (cx=0x100511b80, chain=0x101401000, script=0x100516f70, down=0x0, flags=0, result=0x7fff5fbff570) at jsinterp.cpp:880
#5  0x00000001000162a7 in JS_ExecuteScript (cx=0x100511b80, obj=0x101401000, script=0x100516f70, rval=0x7fff5fbff570) at ../jsapi.cpp:4638
#6  0x000000010000abe6 in Process (cx=0x100511b80, obj=0x101401000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#7  0x000000010000b4a7 in ProcessArgs (cx=0x100511b80, obj=0x101401000, argv=0x7fff5fbff7d0, argc=1) at ../../shell/js.cpp:853
#8  0x000000010000b58f in shell (cx=0x100511b80, argc=1, argv=0x7fff5fbff7d0, envp=0x7fff5fbff7e0) at ../../shell/js.cpp:5029
#9  0x000000010000b68b in main (argc=1, argv=0x7fff5fbff7d0, envp=0x7fff5fbff7e0) at ../../shell/js.cpp:5116

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Asserts at:

Assertion failure: l.s.tag < JSVAL_TAG_CLEAR, at ../jsval.h:321

for a 32-bit js debug shell on Ubuntu Linux 10.04.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals

Comment 3

[Luke Wagner [:luke]]

Attachment: fix

I believe this one is a GCC bug:
We use __attribute__((packed)) + having 0xFFFF0000 as an enumerator to ensure that JSValueTag is a uint32.  However, for the failing assertion, GCC is choosing to use signed comparison, which is wrong.  :-(  On the bright side, such comparisons are all hidden behind the JSVAL_*_IMPL macros and so this can all be fixed in one place.

Comment 4

[Luke Wagner [:luke]]

http://hg.mozilla.org/tracemonkey/rev/b87162dd6021

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/b87162dd6021