Closed Bug 669043 Opened 14 years ago Closed 14 years ago

"Assertion failure: script->code <= target && target < script->code + script->length," with trap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fixed-in-tracemonkey][inbound])

Attachments

(2 files)

stack
49.73 KB, text/plain
Details
fix
1.53 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
function f() { print( Proxy.create(( function() { return { get: Namespace, } }) ()) ) } dis(f) trap(f, 0, '') f() asserts js debug shell on TM changeset f59568ec0513 with -d at Assertion failure: script->code <= target && target < script->code + script->length, js> dis(f) flags: NULL_CLOSURE loc op ----- -- main: 00000: callgname "print" <-- trap goes here 00003: getgname "Proxy" 00006: callprop "create" 00009: lambda (function () {return {get: Namespace};}) 00012: nullblockchain 00013: push 00014: call 0 00017: call 1 00020: call 1 00023: pop 00024: stop Source notes: ofs line pc delta desc args ---- ---- ----- ------ -------- ------ 0: 1 0 [ 0] newline 1: 2 3 [ 3] newline 2: 3 6 [ 3] pcbase offset 3 4: 3 9 [ 3] newline 5: 4 14 [ 5] pcbase offset 5 7: 4 17 [ 3] pcbase offset 14 9: 4 20 [ 3] pcbase offset 20 11: 4 24 [ 4] setline lineno 10 js> trap(f, 0, '') autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 70404:bb9e5496b0ac user: Luke Wagner date: Fri May 13 08:56:26 2011 -0700 summary: Bug 656462, part 4 - Simplify stack code, keep track of native calls, create new iterator over native/scripted callstack, make JS_SaveFrameChain fallible (r=waldo,mrbkap)
Attached file stack
stack is hideously long...
Still occurs on TM changeset d8e967b8afc8.
Attached patch fixSplinter Review
More DEBUG-only ridiculousness resulting from new strong assertions plus AutoScriptUntrapper.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #544072 - Flags: review?(jwalden+bmo)
Comment on attachment 544072 [details] [diff] [review] fix Review of attachment 544072 [details] [diff] [review]: ----------------------------------------------------------------- I'm not sure this is the perfect, absolute most cleanest way to do this. But it works, so meh.
Attachment #544072 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/tracemonkey/rev/60b1a6a58531
Whiteboard: fixed-in-tracemonkey
This (along with most things committed on Friday afternoon) was backed out of mozilla-inbound in order to clear up orange.
http://hg.mozilla.org/integration/mozilla-inbound/rev/16b9dfded119
Whiteboard: fixed-in-tracemonkey → [fixed-in-tracemonkey][inbound]
http://hg.mozilla.org/mozilla-central/rev/16b9dfded119
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: