Closed Bug 607196 Opened 15 years ago Closed 15 years ago

Assertion failure: size_t(atoms - script->atomMap.vector) <= script->atomMap.length

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bc, Assigned: billm)

References

(
URL
)

Details

(Keywords: assertion, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
599 bytes, patch
luke
: review+
Details | Diff | Splinter Review
1. http://www.rozengain.com/files/webgl/WebGLAnimation/ 2. Assertion failure: size_t(atoms - script->atomMap.vector) <= script->atomMap.length, at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4874 Trunk Mac 10.5/Win XP/7 at least. Operating system: Mac OS X 10.5.8 9L34 CPU: x86 GenuineIntel family 6 model 26 stepping 5 1 CPU Crash reason: EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash address: 0x0 Thread 0 (crashed) 0 XUL!JS_Assert [jsutil.cpp : 80 + 0x5] eip = 0x0638e83b esp = 0xbfff8ae0 ebp = 0xbfff8b08 ebx = 0x0638e7f2 esi = 0x01000090 edi = 0x00040000 eax = 0x00000000 ecx = 0x00000000 edx = 0x00000000 efl = 0x00010246 Found by: given as instruction pointer in context 1 XUL!js::Interpret [jsinterp.cpp : 4874 + 0x46] eip = 0x062b7dff esp = 0xbfff8b10 ebp = 0xbfff9a48 ebx = 0x062a01c9 esi = 0x01000090 edi = 0x00040000 Found by: call frame info 2 XUL!js::RunScript [jsinterp.cpp : 637 + 0x21] eip = 0x062c9b19 esp = 0xbfff9a50 ebp = 0xbfff9a88 ebx = 0x062c9a14 esi = 0x00000000 edi = 0x0019c56b Found by: call frame info 3 XUL!js::Execute [jsinterp.cpp : 982 + 0x20] eip = 0x062ca0bc esp = 0xbfff9a90 ebp = 0xbfff9b28 ebx = 0x062c9b44 esi = 0x00000000 edi = 0x0019c56b Found by: call frame info 4 XUL!JS_EvaluateUCScriptForPrincipals [jsapi.cpp : 4881 + 0x34] eip = 0x061ff218 esp = 0xbfff9b30 ebp = 0xbfff9b88 ebx = 0x061ff092 esi = 0x00000000 edi = 0x0019c56b Found by: call frame info 5 XUL!JS_EvaluateUCScriptForPrincipalsVersion [jsapi.cpp : 4857 + 0x3b] eip = 0x061ff48c esp = 0xbfff9b90 ebp = 0xbfff9bc8 ebx = 0x0525c625 esi = 0x00000000 edi = 0x0019c56b Found by: call frame info 6 XUL!nsJSContext::EvaluateString [nsJSEnvironment.cpp : 1724 + 0x86] eip = 0x0525cb4f esp = 0xbfff9bd0 ebp = 0xbfff9cb8 ebx = 0x0525c625 esi = 0x00000000 edi = 0x0019c56b Found by: call frame info 7 XUL!nsScriptLoader::EvaluateScript [nsScriptLoader.cpp : 813 + 0xbc] eip = 0x04faf436 esp = 0xbfff9cc0 ebp = 0xbfff9da8 ebx = 0x04faf095 esi = 0x11ac69b0 edi = 0x0525c614 Found by: call frame info
ditto linux Operating system: Linux 0.0.0 Linux 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:51:33 EDT 2010 i686 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: SIGABRT Crash address: 0x3ecf Thread 0 (crashed) 0 linux-gate.so + 0x402 eip = 0x00ac7402 esp = 0xbfac4e3c ebp = 0xbfac4e48 ebx = 0x00003ecf esi = 0x0368f0e0 edi = 0x0084dff4 eax = 0x00000000 ecx = 0x00003ecf edx = 0x00000006 efl = 0x00000206 Found by: given as instruction pointer in context 1 libxul.so!JS_Assert [jsutil.cpp : 83 + 0xb] eip = 0x02774e05 esp = 0xbfac4e50 ebp = 0xbfac4e78 Found by: previous frame's frame pointer 2 libxul.so!js::Interpret [jsinterp.cpp : 4874 + 0x46] eip = 0x028c5d3e esp = 0xbfac4e80 ebp = 0xbfac5c98 ebx = 0x03794c0c Found by: call frame info 3 libxul.so!js::RunScript [jsinterp.cpp : 637 + 0x21] eip = 0x026b8a15 esp = 0xbfac5ca0 ebp = 0xbfac5cc8 ebx = 0x03794c0c esi = 0x00000000 edi = 0x09432bd8 Found by: call frame info 4 libxul.so!js::Execute [jsinterp.cpp : 982 + 0x20] eip = 0x026b9b2e esp = 0xbfac5cd0 ebp = 0xbfac5d48 ebx = 0x03794c0c esi = 0x00000000 edi = 0x09432bd8 Found by: call frame info
I might be wrong, but this seems like a bogus assertion. When loading a double, we assert: JS_ASSERT(size_t(atoms - script->atomMap.vector) <= script->atomMap.length); Before this, there is a JSOP_INDEXBASE1 instruction that bumps |atoms| in order to use a larger index for the JSOP_DOUBLE. However, there are only 6 atoms in the atom map, so the assertion fails. Luke, can you correct me if I'm wrong?
Yes, it does seem bogus. It may have made sense back when doubles were atoms. I probably just forgot to rip this out when I un-atomized doubles.
Attached patch fixSplinter Review
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #486702 - Flags: review?(lw)
Attachment #486702 - Flags: review?(lw) → review+
Need this landed, see bug 608571. /be
http://hg.mozilla.org/mozilla-central/rev/7af31ff1e9f5
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: