Closed
Bug 624218
Opened 12 years ago
Closed 12 years ago
Intermittent js1_5/Regress/regress-366122.js or js1_5/extensions/regress-347306-02.js | Exited with code 1 from "Assertion failure: abs(dst - src) >= ptrdiff_t(nelem)"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: philor, Assigned: luke)
References
Details
(Keywords: intermittent-failure, Whiteboard: [fixed-in-tracemonkey])
Attachments
(2 files)
|
27.69 KB,
text/plain
|
Details | |
|
773 bytes,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1294544604.1294545658.15917.gz Rev3 Fedora 12x64 tracemonkey debug test jsreftest on 2011/01/08 19:43:24 s: talos-r3-fed64-043 REFTEST TEST-START | file:///home/cltbld/talos-slave/test/build/jsreftest/tests/jsreftest.html?test=js1_5/Regress/regress-366122.js ++DOMWINDOW == 15 (0x267c468) [serial = 4240] [outer = 0x2969600] BUGNUMBER: 366122 STATUS: Compile large script Assertion failure: abs(dst - src) >= ptrdiff_t(nelem), at /builds/slave/tm-lnx64-dbg/build/js/src/jsutil.h:362 TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/test/build/jsreftest/tests/jsreftest.html?test=js1_5/Regress/regress-366122.js | Exited with code 1 during test run Thread 0 (crashed) 0 libpthread-2.11.so + 0xee6b rbx = 0x150b4120 r12 = 0xec1e1760 r13 = 0x00000000 r14 = 0xffffffff r15 = 0x00000000 rip = 0xd360ee6b rsp = 0x9f774658 rbp = 0x9f774680 Found by: given as instruction pointer in context 1 libxul.so!JS_Assert [jsutil.cpp:558d826c33bf : 83 + 0x9] rip = 0x2871a391 rsp = 0x9f774660 Found by: stack scanning 2 libxul.so!js::PodCopy<jschar> [jsutil.h:558d826c33bf : 362 + 0x40] rip = 0x286f6e78 rsp = 0x9f774690 Found by: stack scanning 3 libxul.so!JSString::flatten [jsstr.cpp:558d826c33bf : 207 + 0x14] rip = 0x286f70e0 rsp = 0x9f7746d0 Found by: stack scanning
|
Assignee | |
Comment 1•12 years ago
|
||
I'd have to see the values of src/dst to be sure, but I think this is the same abs()-isn't-word-sized assert botch that Jason pointed out yesterday. Apparently there is no single portable word-sized abs(); GNU has llabs(), msvc has _ab64(). I can only imagine what S/390 has. So I'll just do expand it.
You, sir, are philor-approved:
01:15 < philor> I think the last time someone fixed an orange before the
second time I starred it was... never|
|
Assignee | |
Comment 3•12 years ago
|
||
Anything I can do to give back to someone who has given so much peace of mind to me.
|
||
Comment 4•12 years ago
|
||
Comment on attachment 502315 [details] [diff] [review] use word-sized abs() in assert >+ JS_ASSERT_IF(dst >= src, dst - src >= ptrdiff_t(nelem)); >+ JS_ASSERT_IF(src >= dst, src - dst >= ptrdiff_t(nelem)); I think it's more correct to do an unsigned comparison: JS_ASSERT_IF(dst >= src, size_t(dst - src) >= nelem); JS_ASSERT_IF(src >= dst, size_t(src - dst) >= nelem); since the difference between two char pointers can be negative: char *src = (char *) 0x00123456; char *dst = (char *) 0x80123456; dst >= src ---> true dst - src ---> ptrdiff_t(0x80000000), which is negative dst - src >= ptrdiff_t(12) ---> false size_t(dst - src) >= nelem ---> true An academic concern, perhaps? I'm not sure. On Windows, it could bite you if you managed to build JS with /LARGEADDRESSAWARE and ran it on a system booted with /3GB. (Very unlikely.)
Attachment #502315 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
Heh, thanks, will do (although nelem's unsigned-ness I think will imply unsigned comparison ;-).
|
||
Comment 6•12 years ago
|
||
Seems to me that "best" would be to avoid pointer subtraction madness altogether: JS_ASSERT_IF(dst >= src, src + nelem <= dst); JS_ASSERT_IF(src >= dst, dst + nelem <= src); But I'm not going to really care regardless.
|
||
Comment 7•12 years ago
|
||
Point subtraction is not madness, it's specified sanely by C and C++ standards. Anyway, no need for two loose relationals (one can be > not >=). /be
|
Reporter | |
Comment 8•12 years ago
|
||
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1294732292.1294732994.31956.gz Rev3 Fedora 12x64 mozilla-central debug test jsreftest on 2011/01/10 23:51:32 s: talos-r3-fed64-040
Summary: Intermittent js1_5/Regress/regress-366122.js | Exited with code 1 from "Assertion failure: abs(dst - src) >= ptrdiff_t(nelem)" → Intermittent js1_5/Regress/regress-366122.js or js1_5/extensions/regress-347306-02.js | Exited with code 1 from "Assertion failure: abs(dst - src) >= ptrdiff_t(nelem)"
|
|
Assignee | |
Comment 9•12 years ago
|
||
(In reply to comment #7) > Anyway, no need for two loose relationals (one can be > not >=). No need, but its prettier when they are aligned :)
|
|
Assignee | |
Comment 10•12 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/cb17d7d6a831
Whiteboard: [orange] → [orange][fixed-in-tracemonkey]
|
||
Comment 11•12 years ago
|
||
This assertion also occurred on mozilla-central during layout/reftests/svg/as-image/img-height-slice-2.html - different test, but I assume the underlying problem (and fix) is the same as here. http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1294915524.1294916717.4259.gz
|
||
Comment 12•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/cb17d7d6a831
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Keywords: intermittent-failure
|
|
||
Updated•11 years ago
|
Whiteboard: [orange][fixed-in-tracemonkey] → [fixed-in-tracemonkey]
You need to log in
before you can comment on or make changes to this bug.
Description
•