Closed Bug 607196 Opened 13 years ago Closed 13 years ago

Assertion failure: size_t(atoms - script->atomMap.vector) <= script->atomMap.length

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bc, Assigned: billm)

References

(
URL
)

Details

(Keywords: assertion, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
599 bytes, patch
luke
: review+
Details | Diff | Splinter Review 
1. http://www.rozengain.com/files/webgl/WebGLAnimation/
2. Assertion failure: size_t(atoms - script->atomMap.vector) <= script->atomMap.length, at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4874

Trunk Mac 10.5/Win XP/7 at least.

Operating system: Mac OS X
                  10.5.8 9L34
CPU: x86
     GenuineIntel family 6 model 26 stepping 5
     1 CPU

Crash reason:  EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!JS_Assert [jsutil.cpp : 80 + 0x5]
    eip = 0x0638e83b   esp = 0xbfff8ae0   ebp = 0xbfff8b08   ebx = 0x0638e7f2
    esi = 0x01000090   edi = 0x00040000   eax = 0x00000000   ecx = 0x00000000
    edx = 0x00000000   efl = 0x00010246
    Found by: given as instruction pointer in context
 1  XUL!js::Interpret [jsinterp.cpp : 4874 + 0x46]
    eip = 0x062b7dff   esp = 0xbfff8b10   ebp = 0xbfff9a48   ebx = 0x062a01c9
    esi = 0x01000090   edi = 0x00040000
    Found by: call frame info
 2  XUL!js::RunScript [jsinterp.cpp : 637 + 0x21]
    eip = 0x062c9b19   esp = 0xbfff9a50   ebp = 0xbfff9a88   ebx = 0x062c9a14
    esi = 0x00000000   edi = 0x0019c56b
    Found by: call frame info
 3  XUL!js::Execute [jsinterp.cpp : 982 + 0x20]
    eip = 0x062ca0bc   esp = 0xbfff9a90   ebp = 0xbfff9b28   ebx = 0x062c9b44
    esi = 0x00000000   edi = 0x0019c56b
    Found by: call frame info
 4  XUL!JS_EvaluateUCScriptForPrincipals [jsapi.cpp : 4881 + 0x34]
    eip = 0x061ff218   esp = 0xbfff9b30   ebp = 0xbfff9b88   ebx = 0x061ff092
    esi = 0x00000000   edi = 0x0019c56b
    Found by: call frame info
 5  XUL!JS_EvaluateUCScriptForPrincipalsVersion [jsapi.cpp : 4857 + 0x3b]
    eip = 0x061ff48c   esp = 0xbfff9b90   ebp = 0xbfff9bc8   ebx = 0x0525c625
    esi = 0x00000000   edi = 0x0019c56b
    Found by: call frame info
 6  XUL!nsJSContext::EvaluateString [nsJSEnvironment.cpp : 1724 + 0x86]
    eip = 0x0525cb4f   esp = 0xbfff9bd0   ebp = 0xbfff9cb8   ebx = 0x0525c625
    esi = 0x00000000   edi = 0x0019c56b
    Found by: call frame info
 7  XUL!nsScriptLoader::EvaluateScript [nsScriptLoader.cpp : 813 + 0xbc]
    eip = 0x04faf436   esp = 0xbfff9cc0   ebp = 0xbfff9da8   ebx = 0x04faf095
    esi = 0x11ac69b0   edi = 0x0525c614
    Found by: call frame info
ditto linux

Operating system: Linux
                  0.0.0 Linux 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:51:33 EDT 2010 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGABRT
Crash address: 0x3ecf

Thread 0 (crashed)
 0  linux-gate.so + 0x402
    eip = 0x00ac7402   esp = 0xbfac4e3c   ebp = 0xbfac4e48   ebx = 0x00003ecf
    esi = 0x0368f0e0   edi = 0x0084dff4   eax = 0x00000000   ecx = 0x00003ecf
    edx = 0x00000006   efl = 0x00000206
    Found by: given as instruction pointer in context
 1  libxul.so!JS_Assert [jsutil.cpp : 83 + 0xb]
    eip = 0x02774e05   esp = 0xbfac4e50   ebp = 0xbfac4e78
    Found by: previous frame's frame pointer
 2  libxul.so!js::Interpret [jsinterp.cpp : 4874 + 0x46]
    eip = 0x028c5d3e   esp = 0xbfac4e80   ebp = 0xbfac5c98   ebx = 0x03794c0c
    Found by: call frame info
 3  libxul.so!js::RunScript [jsinterp.cpp : 637 + 0x21]
    eip = 0x026b8a15   esp = 0xbfac5ca0   ebp = 0xbfac5cc8   ebx = 0x03794c0c
    esi = 0x00000000   edi = 0x09432bd8
    Found by: call frame info
 4  libxul.so!js::Execute [jsinterp.cpp : 982 + 0x20]
    eip = 0x026b9b2e   esp = 0xbfac5cd0   ebp = 0xbfac5d48   ebx = 0x03794c0c
    esi = 0x00000000   edi = 0x09432bd8
    Found by: call frame info
I might be wrong, but this seems like a bogus assertion. When loading a double, we assert:
    JS_ASSERT(size_t(atoms - script->atomMap.vector) <= script->atomMap.length);
Before this, there is a JSOP_INDEXBASE1 instruction that bumps |atoms| in order to use a larger index for the JSOP_DOUBLE. However, there are only 6 atoms in the atom map, so the assertion fails.

Luke, can you correct me if I'm wrong?
Yes, it does seem bogus.  It may have made sense back when doubles were atoms.  I probably just forgot to rip this out when I un-atomized doubles.
Attached patch fixSplinter Review 
Assignee: general → wmccloskey
Status: NEW → ASSIGNED

        Attachment #486702 -
        Flags: review?(lw)

    
  

        Attachment #486702 -
        Flags: review?(lw) → review+

    
    

    
  
Need this landed, see bug 608571.

/be

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/7af31ff1e9f5
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.