Closed Bug 608571 Opened 14 years ago Closed 14 years ago

Crash: Assertion failure: size_t(atoms - script->atomMap.vector) <= script->atomMap.length, at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:4880

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 607196

People

(Reporter: bjacob, Unassigned)

Details

Sorry, I can't share the js program triggering this (provided by a user who doesn't want it published), but here's the backtrace, and below I print the relevant variables:

#0  0x000000385bea6a6d in nanosleep () from /lib64/libc.so.6
#1  0x000000385bea68e0 in sleep () from /lib64/libc.so.6
#2  0x00007f070e78abe8 in ah_crap_handler (signum=6) at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007f070e78f422 in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fff433b23f0, context=0x7fff433b22c0) at nsProfileLock.cpp:221
#4  <signal handler called>
#5  0x000000385ca0f30b in raise () from /lib64/libpthread.so.0
#6  0x00007f0710151308 in JS_Assert (s=0x7f0710a0be30 "size_t(atoms - script->atomMap.vector) <= script->atomMap.length", file=
    0x7f0710a0b1a8 "/home/bjacob/mozilla-central/js/src/jsinterp.cpp", ln=4880) at /home/bjacob/mozilla-central/js/src/jsutil.cpp:83
#7  0x00007f07102b27dc in js::Interpret (cx=0x307b8e0, entryFrame=0x7f07043b8188, inlineCallCount=0, interpMode=JSINTERP_NORMAL) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:4880
#8  0x00007f071008c5ab in js::RunScript (cx=0x307b8e0, script=0x7f06d268f010, fp=0x7f07043b8188) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:638
#9  0x00007f071008d8a3 in js::Execute (cx=0x307b8e0, chain=0x7f06fc3c30c8, script=0x7f06d268f010, prev=0x7f07043b8060, flags=8, result=0x7f07043b8128)
    at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:983
#10 0x00007f07100a72b2 in eval (cx=0x307b8e0, argc=1, vp=0x7f07043b8128) at /home/bjacob/mozilla-central/js/src/jsobj.cpp:1243
#11 0x00007f07100900e0 in js::CallJSNative (cx=0x307b8e0, native=0x7f07100a6bf0 <eval(JSContext*, uintN, js::Value*)>, argc=1, vp=0x7f07043b8128)
    at /home/bjacob/mozilla-central/js/src/jscntxtinlines.h:656
#12 0x00007f0710236aa0 in CallCompiler::generateNativeStub (this=0x7fff433b48f0) at /home/bjacob/mozilla-central/js/src/methodjit/MonoIC.cpp:627
#13 0x00007f071023458e in js::mjit::ic::NativeCall (f=..., ic=0x4282178) at /home/bjacob/mozilla-central/js/src/methodjit/MonoIC.cpp:851
#14 0x00007f06fc584362 in ?? ()
#15 0x00007f06fc582000 in ?? ()
#16 0x00007f06eaa97120 in ?? ()
#17 0x00000005433b4980 in ?? ()
#18 0x0000000000000000 in ?? ()


Now printing some variables in frame 7:

(gdb) print atoms
$1 = (JSAtom **) 0x7f06d270f0d0
(gdb) print script->atomMap.vector
$2 = (JSAtom **) 0x7f06d268f0d0
(gdb) print (atoms - script->atomMap.vector)
$3 = 65536
(gdb) print script->atomMap.length
$4 = 19
Dup of bug 607196 -- just a bogus assertion if so.

/be
OK, well this is definitely the same assertion.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.