642150 - Assertion failure: obj->containsSlot(slot)

Status: RESOLVED DUPLICATE of bug 614714

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

See also Bug 613619 and Bug 614714

I keep getting this assertion with varying stacks for windows, linux and mac. I've not been able to reproduce them by loading the urls individually and haven't filed a bug for that reason.

Once you have the list of urls, you can test this in a debug build that is built with tests enabled using the tp loader:

firefox -tp manifest.file

Comment 2

[Bob Clary [:bc] (inactive)]

FYI, I've seen this on the following domains:

1001likes.free.fr, admfilmes.com, baixae.com, clubedodownload.info, fifa08brasil.blogspot.com, j.mp, mp3hungama.com, rutube.ru, secure.accorhotels.com, shimajoker.blogsky.com, taxes.hrblock.com, translate.google.ca, translate.google.co.id, translate.google.co.in, translate.google.co.ma, translate.google.co.th, translate.google.com, translate.google.com.br, translate.google.com.eg, translate.google.com.pk, translate.google.com.tr, translate.google.com.ua, translate.google.cz, translate.google.es, translate.google.fr, translate.google.hu, translate.google.jo, translate.google.pl, translate.google.pt, translate.google.ro, translate.google.ru, translate.google.sn, uaisodownload.com, verfilmes.net, verfilmesonline.info, www.123chase.com, www.afromontreal.com, www.animefuel.com, www.baixacursos.com.br, www.baixarfilmesgratis.net, www.baixedetudo.net, www.baseballdocs.com, www.cabanaomundaogospel.net.br, www.cineturbo.com, www.degracaemaisgostoso.org, www.downgratis.com, www.elyrics.net, www.emobilez.com, www.esquemaouro.com.br, www.eurosptp.com, www.ezzal.com, www.fairytailepisodes.com, www.funrocker.com, www.futebolaovivo.net, www.g1filmes.com, www.inspirationalstories.com, www.javafile.com, www.justfilmeseseriados.org, www.kanshin.com, www.law-warrior.co.cc, www.linkagratis.net, www.mtv.com, www.ovh.co.uk, www.pcmegarapido.com, www.quick-downloads.com, www.recadosanimados.com, www.righthealth.com, www.scionnation.ca, www.sevendownloads.ws, www.softportal.com, www.songarea.com, www.sonyericsson.com, www.streamtvguide.com, www.treiber-studio.de, www.tripadvisor.co.uk, www.tripadvisor.com, www.tripadvisor.de, www.tripadvisor.in, www.tripadvisor.it, www.unscramble.net, www.urbanfonts.com, www.verfilmes.net, www.vovosalim.com, www.xerox66.com, www.y3.com, www.yooliety.de, www2.mp3raid.com

Comment 3

[Bob Clary [:bc] (inactive)]

This is a very common assertion in the crash automation. It may be related to or is hiding the top js crashers for Firefox 4.0. I have it in msvc's debugger at the moment if anyone is interested.

Comment 4

[Bob Clary [:bc] (inactive)]

No one appears to care about this one as no one has replied in the bug nor #jsapi, but before I blow the vm session away with the attached debugger here is the stack and auto variables.

Note the 0xde pattern.

-		regs.fp	0x02480808 {flags_=6291458 exec={...} args={...} ...}	JSStackFrame *
		flags_	6291458	unsigned int
+		exec	{script=0x0beb6f00 fun=0x0beb6f00 }	JSStackFrame::<unnamed-tag>
+		args	{nactual=0 obj=0x00000000 script=0x00000000 }	JSStackFrame::<unnamed-tag>
+		scopeChain_	0x0c514410 {lastProp=0x15795bc8 map=0x15795bc8 clasp=0x03e9f724 ...}	JSObject *
+		prev_	0x024807c0 {flags_=6299650 exec={...} args={...} ...}	JSStackFrame *
		ncode_	0xdededede	void *
+		rval_	{data={...} }	js::Value
+		prevpc_	0x156e4e8f ":"	unsigned char *
+		imacropc_	0xdededede <Bad Ptr>	unsigned char *
		hookData_	0xdededede	void *
		annotation_	0xdededede	void *
+		sInvalidScopeChain	0x0000beef {lastProp=??? map=??? clasp=??? ...}	JSObject * const
		slot	149	unsigned int

    JS_ASSERT(obj->containsSlot(slot));

 	mozjs.dll!JS_Assert(const char * s=0x00aa5368, const char * file=0x00aa532c, int ln=5326)  Line 73	C++
>	mozjs.dll!js::Interpret(JSContext * cx=0x12f50028, JSStackFrame * entryFrame=0x024807c0, unsigned int inlineCallCount=1, JSInterpMode interpMode=JSINTERP_NORMAL)  Line 5326 + 0x2f bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx=0x12f50028, JSScript * script=0x156e4de0, JSStackFrame * fp=0x024807c0)  Line 653 + 0x11 bytes	C++

Comment 5

[Bob Clary [:bc] (inactive)]

Attachment: summary of stacks seen

There are a 100 different stacks seen so far. The one I have in the debugger is:

JS_Assert | js::Interpret js::RunScript js::Invoke js::ExternalInvoke JS_CallFunctionValue

Comment 6

[Jesse Ruderman]

Is this likely to be the same as bug 614714? A different bug? A bunch of different bugs?

Comment 7

[Bob Clary [:bc] (inactive)]

I tested the original 308 urls plus an additional 672 urls found since then using a mac build on tracemonkey with the patch from bug 614714 and did not reproduce the obj->containsSlot(slot) assertion.

I did see two other assertions.

Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at /work/mozilla/builds/2.0.0-tracemonkey/mozilla/js/src/jsvalue.h:705

http://www.baixarfilmesgratis.net/page/13/: EXIT STATUS: CRASHED signal 10 SIGBUS (65.559649 seconds)

This is not reproducible on tracemonkey with the patch nor on mozilla-central. :-(

Assertion failure: bit < BitCount, at /work/mozilla/builds/2.0.0-tracemonkey/mozilla/js/src/jsgc.h:210

http://www.raaga.com/channels/hindi/: EXIT STATUS: CRASHED signal 10 SIGBUS (23.502703 seconds)

Assertion failure: bit < BitCount, at /work/mozilla/builds/2.0.0-tracemonkey/mozilla/js/src/jsgc.h:210

http://www.raaga.com/channels/tamil/: EXIT STATUS: CRASHED signal 10 SIGBUS (15.763318 seconds)

These are reproducible on tracemonkey with and without the patch. I'll file a separate bug, but it I have a question first. Is that assertion something to be security sensitive?

Comment 8

[Bob Clary [:bc] (inactive)]

filed bug 649579 on the bit assert.