Last Comment Bug 666292 - "Assertion failure: pc_ >= script->code && pc_ < script->code + script->length," with trap
: "Assertion failure: pc_ >= script->code && pc_ < script->code + script->lengt...
Status: RESOLVED FIXED
fixed-in-tracemonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Luke Wagner [:luke]
:
Mentors:
: 666301 (view as bug list)
Depends on:
Blocks: jsfunfuzz 656462
  Show dependency treegraph
 
Reported: 2011-06-22 09:45 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 07:41 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (5.21 KB, text/plain)
2011-06-22 09:45 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
No FrameRegsIter For You! (1.75 KB, patch)
2011-06-23 09:39 PDT, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Splinter Review
stack (15.77 KB, text/plain)
2011-06-28 08:22 PDT, Bob Clary [:bc:]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-06-22 09:45:32 PDT
Created attachment 541079 [details]
stack

function f(){
  this.zzz.zzz;
  for(let d in []);
}
dis(f)
trap(f, 18, '')
f()

asserts js debug shell on TM changeset 0428dbdf3d58 with -m, -a and -d at Assertion failure: pc_ >= script->code && pc_ < script->code + script->length,

js> function f(){
  this.zzz.zzz;
  for(let d in []);
}
js> dis(f)
flags: NULL_CLOSURE
loc     op
-----   --
main:
00000:  this
00001:  getprop "zzz"
00004:  getprop "zzz"
00007:  pop
00008:  enterblock depth 0 {d: 0}
00011:  newarray 0
00015:  endinit
00016:  iter 1
00018:  goto 27 (+9)      <-- trap goes here
00021:  trace 0
00024:  forlocal 0
00027:  moreiter
00028:  ifne 21 (-7)
00031:  enditer
00032:  leaveblock 1
00037:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     0 [   0] newline 
  1:    2     1 [   1] pcbase   offset 1
  3:    2     4 [   3] pcbase   offset 4
  5:    2     8 [   4] newline 
  6:    3    18 [  10] xdelta  
  7:    3    18 [   0] if-else  else 9 elseif 10
 10:    3    21 [   3] while    offset 7
 12:    3    24 [   3] decl     offset 2

Exception table:
kind      stack    start      end
 iter         2       21       31

js> trap(f, 18, '')
js> f()
Assertion failure: pc_ >= script->code && pc_ < script->code + script->length,
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-06-23 08:48:16 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   70404:bb9e5496b0ac
user:        Luke Wagner
date:        Fri May 13 08:56:26 2011 -0700
summary:     Bug 656462, part 4 - Simplify stack code, keep track of native calls, create new iterator over native/scripted callstack, make JS_SaveFrameChain fallible (r=waldo,mrbkap)
Comment 2 Luke Wagner [:luke] 2011-06-23 09:18:58 PDT
*** Bug 666301 has been marked as a duplicate of this bug. ***
Comment 3 Luke Wagner [:luke] 2011-06-23 09:27:35 PDT
This is what I get for making strong assertions: AutoScriptUntrapper mutates script->code (to point to an untrapped set of bytecodes) and FrameRegsIter (called inside the decompiler) observes the script and tries to assert regs.pc is in range.  I would just do some hack, but it looks like pc is actually being used and compared to stuff (even before my changes)...
Comment 4 Luke Wagner [:luke] 2011-06-23 09:39:52 PDT
Created attachment 541407 [details] [diff] [review]
No FrameRegsIter For You!

This code is madness.

I'll just use pcQuadratic (this shouldn't be in a quadratic situation anyhow) which undoes (http://hg.mozilla.org/tracemonkey/diff/abd2dcd555f4/js/src/jsopcode.cpp).
Comment 5 Luke Wagner [:luke] 2011-06-23 16:53:18 PDT
http://hg.mozilla.org/tracemonkey/rev/47c6a7fd1af5
Comment 6 Chris Leary [:cdleary] (not checking bugmail) 2011-06-27 11:38:36 PDT
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/47c6a7fd1af5
Comment 7 Bob Clary [:bc:] 2011-06-28 08:22:39 PDT
Created attachment 542476 [details]
stack

1. http://www.autoteile-immler.com/THULE%2B973%2BBackPac%2BFahrradtr%25e4ger%2Binkl.%2BMontagekit%2B973-15/a5730277_u161/

2. Either stop or continue slow script dialog.

3. Assertion failure: pc_ >= script->code && pc_ < script->code + script->length, at /work/mozilla/builds/nightly/mozilla/js/src/vm/Stack.cpp:978

Note that in Automation today's Nightly fired Assertion failure: compartment mismatched on this.

new bug?
Comment 8 Bob Clary [:bc:] 2011-06-28 08:23:30 PDT
oops, "Note that in Automation today's Nightly fired Assertion failure: compartment mismatched on this." should have read "Note that in Automation today's Nightly on Linux 64 bit fired Assertion failure: compartment mismatched on this."
Comment 9 Bob Clary [:bc:] 2011-06-28 08:40:45 PDT
Windows is showing a stack overflow at the same url with moz_free | NS_Free_P nsMemory::Free(void*) XPCJSStackFrame::~XPCJSStackFrame() XPCJSStackFrame::`vector deleting destructor'(unsigned int) + 0xe XPCJSStackFrame::Release()

I filed Bug 667915
Comment 10 Christian Holler (:decoder) 2013-01-14 07:41:36 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug666292.js.

Note You need to log in before you can comment on or make changes to this bug.