Closed Bug 614780 Opened 15 years ago Closed 15 years ago

TM: "Assertion failure: !js_IsActiveWithOrBlock(cx, &regs.fp->scopeChain(), 0),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 1 obsolete file)

regression range
26.00 KB, text/plain
Details
and don't trace labeled continue either
1.50 KB, patch
dvander
: review+
Details | Diff | Splinter Review
for (a = 0; a < 9; ++a) { M: for (let c in <x>></x>) { break M } } asserts js debug shell on TM changeset 9123f97f059c with -j at Assertion failure: !js_IsActiveWithOrBlock(cx, &regs.fp->scopeChain(), 0),
blocking2.0: --- → ?
Attached file regression range
Due to cross compile breakage, attached is the regression window.
The first bad revision is: changeset: eaa6114ee405 user: Luke Wagner <lw@mozilla.com> date: Wed Nov 10 16:19:02 2010 -0800 summary: Bug 604858 - break-to-label should endLoop(); assert that recording does not leave the original loop (r=dvander) Stack: > #0 JS_Assert > #1 js::Interpret () at jsinterp.cpp:6986 > #2 js::RunScript (cx=0x609f30, script=0x612440, fp=0x1000030) at jsinterp.cpp:657 > #3 js::Execute (cx=0x609f30, chain=0x1502028, script=0x612440, prev=0x0, flags=0, result=0x0) at jsinterp.cpp:1005 > #4 JS_ExecuteScript (cx=0x609f30, obj=0x1502028, script=0x612440, rval=0x0) at jsapi.cpp:4837 > #5 Process (cx=0x609f30, obj=0x1502028, filename=0xbffff9d2 "jn.js", forceTTY=0) at shell/js.cpp:453 > #6 ProcessArgs (cx=0x609f30, obj=0x1502028, argv=0xbffff92c, argc=2) at shell/js.cpp:952 > #7 Shell (cx=0x609f30, argc=2, argv=0xbffff92c, envp=0xbffff938) at shell/js.cpp:5370 > #8 main (argc=2, argv=0xbffff92c, envp=0xbffff938) at shell/js.cpp:5478
Blocks: 604858
While labeled break has always traced, before the fix in bug 604858, labeled break would keep recording out of the inner loop (so effectively never close he loop). With bug 604858, labeled break can record succesfully which exposes an incorrect assumption we make about the blockchains. The issue is the 'let' in the for-loop initializer which (when we call js_GetScopeChain) places a block object on the scope chain. In a normal break, the leaveblock is placed after the ifne backedge, so exiting trace, leaveblock is executed in the interp/mjit and all is good. With a labeled break, the leaveblock happens inside the loop, before the goto, so it effectively happens on trace. However, since the tracer ignores leaveblock, the block object is never popped from the scope chain. The simple fix is to go back to not tracing labeled break. A more sophisticated solution is to try to put some block-object-popping logic in LeaveTree. I'm inclined to do the former, with a big comment as to what the problem is if we should later decide it is important to trace.
Assignee: general → lw
blocking2.0: ? → betaN+
blocking2.0: betaN+ → -
status2.0: --- → wanted
blocking2.0: - → betaN+
status2.0: wanted → ---
Taking the easy path to fix the blocker. We can trace it later.
Attachment #497637 - Flags: review?(dvander)
Attachment #497637 - Flags: review?(dvander) → review+
Labeled continue is broken for the same reason (as shown by bug 616119). Btw, neither of this hurts v8/ss.
Attachment #497637 - Attachment is obsolete: true
Attachment #497708 - Flags: review?(dvander)
Attachment #497708 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/292dd34fdbbf
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/292dd34fdbbf
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Blocks: 626986
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: