Closed
Bug 608980
Opened 14 years ago
Closed 14 years ago
Assertion failure: locals[local] <= offset
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bc, Assigned: bhackett1024)
References
()
Details
(Keywords: assertion, regression, Whiteboard: [jmassert][fixed-in-tracemonkey])
Attachments
(1 file)
|
1.76 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
1. http://latino.msn.com/ 2. Assertion failure: locals[local] <= offset, at /work/mozilla/builds/2.0.0/mozilla/js/src/jsanalyze.cpp:580 at least on windows, mac. Appears to be a recent issue. Operating system: Mac OS X 10.5.8 9L34 CPU: x86 GenuineIntel family 6 model 26 stepping 5 1 CPU Crash reason: EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash address: 0x0 Thread 0 (crashed) 0 XUL!JS_Assert [jsutil.cpp : 80 + 0x5] eip = 0x0638c5b1 esp = 0xbfff6360 ebp = 0xbfff6388 ebx = 0x0638c568 esi = 0x00000003 edi = 0x1358f620 eax = 0x00000000 ecx = 0x00000000 edx = 0x00000000 efl = 0x00010246 Found by: given as instruction pointer in context 1 XUL!js::analyze::Script::analyze [jsanalyze.cpp : 577 + 0x6f] eip = 0x061f7d01 esp = 0xbfff6390 ebp = 0xbfff6488 ebx = 0x061f6de3 esi = 0x00000003 edi = 0x1358f620 Found by: call frame info 2 XUL!js::mjit::Compiler::performCompilation [Compiler.cpp : 163 + 0x1d] eip = 0x0644a1f0 esp = 0xbfff6490 ebp = 0xbfff6528 ebx = 0x0644a18c esi = 0x00000003 edi = 0x1358f620 Found by: call frame info 3 XUL!js::mjit::Compiler::compile [Compiler.cpp : 131 + 0x11] eip = 0x0644a5e8 esp = 0xbfff6530 ebp = 0xbfff6568 ebx = 0x0644a4da esi = 0x00000003 edi = 0x1358f620 Found by: call frame info 4 XUL!js::mjit::TryCompile [Compiler.cpp : 235 + 0xd] eip = 0x0644aa2e esp = 0xbfff6570 ebp = 0xbfff9418 ebx = 0x0644a97c esi = 0x00000003 edi = 0x1358f620 Found by: call frame info 5 XUL!UncachedInlineCall [InvokeHelpers.cpp : 387 + 0x11] eip = 0x064876e4 esp = 0xbfff9420 ebp = 0xbfff94a8 ebx = 0x0648749d esi = 0x00000003 edi = 0x1358f620 Found by: call frame info 6 XUL!js::mjit::stubs::UncachedCallHelper [InvokeHelpers.cpp : 488 + 0x18] eip = 0x06487895 esp = 0xbfff94b0 ebp = 0xbfff94d8 ebx = 0x0648779e esi = 0x13594640 edi = 0x1358f620 Found by: call frame info 7 XUL!CallCompiler::update [MonoIC.cpp : 779 + 0x25] eip = 0x064765ec esp = 0xbfff94e0 ebp = 0xbfff9548 ebx = 0x06476592 esi = 0x13594640 edi = 0x1358f620 Found by: call frame info 8 XUL!js::mjit::ic::Call [MonoIC.cpp : 837 + 0xa] eip = 0x06471e82 esp = 0xbfff9550 ebp = 0xbfff9598 ebx = 0x01000170 esi = 0x13594640 edi = 0x1358f620 Found by: call frame info 9 0x15299c28 eip = 0x15299c29 esp = 0xbfff95a0 ebp = 0xbfff95d8 ebx = 0x01000170 esi = 0x13594640 edi = 0x1358f620 Found by: call frame info 10 XUL!js::mjit::EnterMethodJIT [MethodJIT.cpp : 739 + 0x1f] eip = 0x0642b209 esp = 0xbfff95e0 ebp = 0xbfff9628 Found by: previous frame's frame pointer 11 XUL!CheckStackAndEnterMethodJIT [MethodJIT.cpp : 764 + 0x1f] eip = 0x0642b320 esp = 0xbfff9630 ebp = 0xbfff9668 ebx = 0x0642b393 esi = 0x1579f1cc Found by: call frame info 12 XUL!js::mjit::JaegerShot [MethodJIT.cpp : 781 + 0x1c] eip = 0x0642b448 esp = 0xbfff9670 ebp = 0xbfff9698 ebx = 0x0642b393 esi = 0x1579f1cc Found by: call frame info 13 XUL!js::RunScript [jsinterp.cpp : 662 + 0xa] eip = 0x062c93b0 esp = 0xbfff96a0 ebp = 0xbfff96d8 ebx = 0x062c92da esi = 0x00000000 Found by: call frame info 1
|
||
Updated•14 years ago
|
Whiteboard: [jmassert]
|
Assignee | |
Updated•14 years ago
|
Assignee: general → bhackett1024
I just hit this on Google Reader in a build based on this changeset (plus the contents of my patch queue at the time): changeset: 58671:14e52c423e54 user: Jim Mathies <jmathies@mozilla.com> date: Mon Nov 08 09:30:40 2010 -0600 summary: Bug 610201 - Fix for aero basic buttons regression after bug 591154 landed. r=roc, a=final. #4 <signal handler called> #5 0x00007f63987b17bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #6 0x00007f63974a3c14 in js::analyze::Script::analyze (this=0x7fff5a47db30, cx=<value optimized out>, script=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsanalyze.cpp:580 #7 0x00007f639741ce60 in js::mjit::Compiler::performCompilation ( this=0x7fff5a47dbe0, jitp=0xa29a790) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/Compiler.cpp:163 #8 0x00007f639741d0ab in js::mjit::Compiler::compile (this=0x7fff5a47dbe0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/Compiler.cpp:131 #9 0x00007f639741d1f1 in js::mjit::TryCompile (cx=0xe9c0250, fp=0x7f6385a9cac8) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/Compiler.cpp:235 #10 0x00007f639745bd4a in UncachedInlineCall (f=..., flags=0, pret=<value optimized out>, argc=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/InvokeHelpers.cpp:387 #11 0x00007f639745c35e in js::mjit::stubs::UncachedCallHelper (f=..., argc=0, ucr=0x7fff5a481430) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/InvokeHelpers.cpp:488 #12 0x00007f639744aea6 in CallCompiler::update (this=0x7fff5a4814b0) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/MonoIC.cpp:779 #13 0x00007f6397446e3e in js::mjit::ic::Call (f=<value optimized out>, ic=0x7c80) at /home/dbaron/builds/mozilla-central/mozilla/js/src/methodjit/MonoIC.cpp:837 (gdb) f 6 #6 0x00007f63974a3c14 in js::analyze::Script::analyze (this=0x7fff5a47db30, cx=<value optimized out>, script=<value optimized out>) at /home/dbaron/builds/mozilla-central/mozilla/js/src/jsanalyze.cpp:580 580 in /home/dbaron/builds/mozilla-central/mozilla/js/src/jsanalyze.cpp (gdb) p this->script->filename $3 = 0x65b1c1d "https://www.google.com/reader/ui/485118933-en-scroll.js?hl=en" (gdb) p this->script->lineno $4 = 425 (gdb) p js_Disassemble(cx, script, 1, stdout) main: 00000: 425 callglobal "Yd" 00003: 425 this 00004: 425 getprop "aw" 00007: 425 getprop "Sd" 00010: 425 getprop "enclosure" 00013: 425 getglobal "Yu" 00016: 425 call 2 00019: 425 setlocal 0 00022: 425 pop 00023: 425 newarray 0 00026: 425 setlocal 1 00029: 425 pop 00030: 425 zero 00031: 425 setlocal 2 00034: 425 pop 00035: 425 getlocal 3 00038: 425 pop 00039: 425 goto 319 (280) 00042: 425 trace 0 00045: 425 getlocal 4 00048: 425 pop 00049: 425 nop 00050: 425 callglobal "Eh" 00053: 425 getlocalprop 3 "Tb" 00058: 425 call 1 00061: 425 lookupswitch offset 35 npairs 2 "audio": 13 "video": 24 00074: 425 string "Original audio source" 00077: 425 setlocal 4 00080: 425 pop 00081: 425 goto 103 (22) 00084: 425 nullblockchain 00085: 425 string "Original video source" 00088: 425 setlocal 4 00091: 425 pop 00092: 425 goto 103 (11) 00095: 425 nullblockchain 00096: 425 string "Original enclosure" 00099: 425 setlocal 4 00102: 425 pop 00103: 425 getlocalprop 3 "sf" 00108: 425 setlocal 5 00111: 425 pop 00112: 425 getglobal "j" 00115: 425 setlocal 6 00118: 425 pop 00119: 425 try 00120: 425 getlocal 5 00123: 425 callprop "split" 00126: 425 string "/" 00129: 425 call 1 00132: 425 setlocal 7 00135: 425 pop 00136: 425 getlocal 7 00139: 425 length 00140: 425 zero 00141: 425 gt 00142: 425 ifeq 165 (23) 00145: 425 callglobal "Hd" 00148: 425 getlocal 7 00151: 425 getlocal 7 00154: 425 length 00155: 425 one 00156: 425 sub 00157: 425 getelem 00158: 425 call 1 00161: 425 setlocal 6 00164: 425 pop 00165: 425 getlocal 6 00168: 425 and 185 (17) 00171: 425 getlocal 6 00174: 425 callprop "indexOf" 00177: 425 string "?" 00180: 425 call 1 00183: 425 zero 00184: 425 gt 00185: 425 ifeq 214 (29) 00188: 425 getlocal 6 00191: 425 callprop "substring" 00194: 425 zero 00195: 425 getlocal 6 00198: 425 callprop "indexOf" 00201: 425 string "?" 00204: 425 call 1 00207: 425 call 2 00210: 425 setlocal 6 00213: 425 pop 00214: 425 goto 233 (19) 00217: 425 enterblock depth 0 {m: 0} 00220: 425 exception 00221: 425 setlocalpop 8 00224: 425 leaveblock 1 00229: 425 goto 233 (4) 00232: 425 nop 00233: 425 getlocalprop 3 "Tb" 00238: 425 setlocal 3 00241: 425 pop 00242: 425 callglobal "Eh" 00245: 425 getlocal 3 00248: 425 call 1 00251: 425 string "audio" 00254: 425 eq 00255: 425 or 271 (16) 00258: 425 getlocal 3 00261: 425 callprop "toLowerCase" 00264: 425 call 0 00267: 425 string "mp3" 00270: 425 eq 00271: 425 setlocal 3 00274: 425 pop 00275: 425 getlocal 1 00278: 425 callprop "push" 00281: 425 newinit 1 4 00286: 425 getlocal 4 00289: 425 initprop "Ud" 00292: 425 getlocal 5 00295: 425 initprop "href" 00298: 425 getlocal 6 00301: 425 initprop "name" 00304: 425 getlocal 3 00307: 425 initprop "nv" 00310: 425 endinit 00311: 425 call 1 00314: 425 pop 00315: 425 localinc 2 00318: 425 pop 00319: 425 getlocal 0 00322: 425 getlocal 2 00325: 425 getelem 00326: 425 setlocal 3 00329: 425 ifne 42 (-287) 00332: 425 newinit 1 1 00337: 425 getlocal 1 00340: 425 initprop "HA" 00343: 425 endinit 00344: 425 setlocal 2 00347: 425 pop 00348: 425 getglobal "M" 00351: 425 push 00352: 425 new 0 00355: 425 setlocal 0 00358: 425 pop 00359: 425 getlocal 0 00362: 425 callprop "a" 00365: 425 string "<div class=\\"entry-enclosure\\"><div class=\\"item-body\\"></div><div class=\\"audio-player-container player\\"><script type=\\"text/javascript\\">" 00368: 426 callglobal "P" 00371: 426 string "function FlashRequest(command, args) {}" 00374: 426 call 1 00377: 426 string "</script>" 00380: 426 call 3 00383: 426 pop 00384: 426 getlocalprop 2 "HA" 00389: 426 setlocal 2 00392: 426 pop 00393: 426 getlocal 2 00396: 426 length 00397: 426 setlocal 4 00400: 426 pop 00401: 426 zero 00402: 426 setlocal 5 00405: 426 pop 00406: 426 goto 521 (115) 00409: 426 trace 1 00412: 426 getlocal 2 00415: 426 getlocal 5 00418: 426 getelem 00419: 426 setlocal 6 00422: 426 pop 00423: 426 getlocal 0 00426: 426 callprop "a" 00429: 426 getlocalprop 6 "nv" 00434: 426 ifeq 443 (9) 00437: 426 string "<div class=\\"audio-player-placeholder\\"></div>" 00440: 426 goto 446 (6) 00443: 426 string "" 00446: 426 string "<div class=\\"view-enclosure-parent\\"><a href=\\"" 00449: 426 callglobal "P" 00452: 426 getlocalprop 6 "href" 00457: 426 call 1 00460: 426 string "\\" target=\\"_blank\\"><span class=\\"view-enclosure\\">" 00463: 426 callglobal "P" 00466: 426 getlocalprop 6 "Ud" 00471: 426 call 1 00474: 426 string " " 00477: 426 getlocalprop 6 "name" 00482: 426 ifeq 507 (25) 00485: 426 string "(" 00488: 426 callglobal "P" 00491: 426 getlocalprop 6 "name" 00496: 426 call 1 00499: 426 add 00500: 426 string ")" 00503: 426 add 00504: 426 goto 510 (6) 00507: 426 string "" 00510: 426 string "</span></a></div>" 00513: 426 call 8 00516: 426 pop 00517: 426 localinc 5 00520: 426 pop 00521: 426 getlocal 5 00524: 426 getlocal 4 00527: 426 lt 00528: 426 ifne 409 (-119) 00531: 426 getlocal 0 00534: 426 callprop "a" 00537: 426 string "</div></div>" 00540: 426 call 1 00543: 426 pop 00544: 426 callglobal "N" 00547: 426 getlocal 0 00550: 426 callprop "toString" 00553: 426 call 0 00556: 426 call 1 00559: 426 setlocal 0 00562: 426 pop 00563: 426 callglobal "R" 00566: 426 getlocal 0 00569: 426 string "item-body" 00572: 426 call 2 00575: 426 callprop "appendChild" 00578: 426 callglobal "Ru" 00581: 426 getthisprop "aw" 00584: 426 call 1 00587: 426 call 1 00590: 426 pop 00591: 426 callgname "Zu" 00594: 426 this 00595: 426 getlocal 0 00598: 426 getlocal 1 00601: 426 call 3 00604: 426 pop 00605: 426 this 00606: 426 getprop "fg" 00609: 426 callprop "appendChild" 00612: 426 getlocal 0 00615: 426 call 1 00618: 426 pop 00619: 426 stop
|
|
Assignee | |
Comment 2•14 years ago
|
||
This assertion is bogus. When there is a loop like:
while (x = y) { ... }
The definitions analysis marks x as definitely defined at the point of its write (which it is), which happens to be later in the bytecode stream than the loop body. The analysis ends up marking x as possibly undefined everywhere in the body of the loop, even if it is reassigned in the loop body. Fixing this probably isn't worthwhile, makes things more complicated and this sort of loop is rare.
Attachment #489825 -
Flags: review?(dmandelin)
|
|
||
Updated•14 years ago
|
Attachment #489825 -
Flags: review?(dmandelin) → review+
|
|
Assignee | |
Comment 3•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6b22d236a218
Whiteboard: [jmassert] → [jmassert][fixed-in-tracemonkey]
|
||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6b22d236a218
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•