TM: Crash [@ NamespaceHelper] or "Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE," or "Assertion failure: l.s.tag < JSVAL_TAG_CLEAR,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 betaN+)

Details

(Whiteboard: [ccbr] fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
try {
    for (m = 0; m < 1; m++) {
        b = m; ( * )
    }
    var x = /x/
} catch(e) {}
for (var z = 0; z < 7; ++z) {
    x %= b
}
default xml namespace = ( - ((a) = x))

asserts js debug shell on TM tip with -j at Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE, at ../jsval.h:499 and crashes js opt shell on TM tip with -j at NamespaceHelper

(Tested on 64-bit Mac OS X 10.6)

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
0x0000000100165169 in JS_Assert (s=0x1001f8090 "l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE", file=0x1001ff970 "../jsval.h", ln=499) at ../jsutil.cpp:81
81          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0000000100165169 in JS_Assert (s=0x1001f8090 "l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE", file=0x1001ff970 "../jsval.h", ln=499) at ../jsutil.cpp:81
#1  0x0000000100011ac8 in DOUBLE_TO_JSVAL_IMPL (d=-nan(0xfffffffffffff)) at jsval.h:499
#2  0x00000001000292db in js::Value::setDouble (this=0x1010001b0, d=-nan(0xfffffffffffff)) at jsvalue.h:343
#3  0x000000010009cd66 in js::Interpret (cx=0x100511b80) at ../jsinterp.cpp:3626
#4  0x00000001000b808b in js::Execute (cx=0x100511b80, chain=0x101401000, script=0x100516f70, down=0x0, flags=0, result=0x7fff5fbff570) at jsinterp.cpp:880
#5  0x00000001000162a7 in JS_ExecuteScript (cx=0x100511b80, obj=0x101401000, script=0x100516f70, rval=0x7fff5fbff570) at ../jsapi.cpp:4638
#6  0x000000010000abe6 in Process (cx=0x100511b80, obj=0x101401000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:532
#7  0x000000010000b4a7 in ProcessArgs (cx=0x100511b80, obj=0x101401000, argv=0x7fff5fbff7d0, argc=1) at ../../shell/js.cpp:853
#8  0x000000010000b58f in shell (cx=0x100511b80, argc=1, argv=0x7fff5fbff7d0, envp=0x7fff5fbff7e0) at ../../shell/js.cpp:5029
#9  0x000000010000b68b in main (argc=1, argv=0x7fff5fbff7d0, envp=0x7fff5fbff7e0) at ../../shell/js.cpp:5116
(Reporter)

Comment 1

8 years ago
Asserts at:

Assertion failure: l.s.tag < JSVAL_TAG_CLEAR, at ../jsval.h:321

for a 32-bit js debug shell on Ubuntu Linux 10.04.
OS: Mac OS X → All
Hardware: x86 → All
Summary: TM: Crash [@ NamespaceHelper] or "Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE," → TM: Crash [@ NamespaceHelper] or "Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE," or "Assertion failure: l.s.tag < JSVAL_TAG_CLEAR,"
(Reporter)

Comment 2

8 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals
Blocks: 549143
Created attachment 457977 [details] [diff] [review]
fix

I believe this one is a GCC bug:
We use __attribute__((packed)) + having 0xFFFF0000 as an enumerator to ensure that JSValueTag is a uint32.  However, for the failing assertion, GCC is choosing to use signed comparison, which is wrong.  :-(  On the bright side, such comparisons are all hidden behind the JSVAL_*_IMPL macros and so this can all be fixed in one place.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #457977 - Flags: review?(dmandelin)
Attachment #457977 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/b87162dd6021
Whiteboard: [ccbr] → [ccbr] fixed-in-tracemonkey

Comment 5

8 years ago
http://hg.mozilla.org/mozilla-central/rev/b87162dd6021
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Updated

8 years ago
blocking2.0: ? → betaN+
Crash Signature: [@ NamespaceHelper]
You need to log in before you can comment on or make changes to this bug.