Last Comment Bug 669043 - "Assertion failure: script->code <= target && target < script->code + script->length," with trap
: "Assertion failure: script->code <= target && target < script->code + script-...
Status: RESOLVED FIXED
[fixed-in-tracemonkey][inbound]
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: mozilla8
Assigned To: Luke Wagner [:luke]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz 656462
  Show dependency treegraph
 
Reported: 2011-07-02 22:23 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-07-19 08:08 PDT (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (49.73 KB, text/plain)
2011-07-02 22:27 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
fix (1.53 KB, patch)
2011-07-05 14:54 PDT, Luke Wagner [:luke]
jwalden+bmo: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-07-02 22:23:13 PDT
function f() {
    print(
        Proxy.create((
            function() {
                return {
                    get: Namespace,
                }
            })
        ())
    )
}
dis(f)
trap(f, 0, '')
f()

asserts js debug shell on TM changeset f59568ec0513 with -d at Assertion failure: script->code <= target && target < script->code + script->length,

js> dis(f)
flags: NULL_CLOSURE
loc     op
-----   --
main:
00000:  callgname "print"     <-- trap goes here
00003:  getgname "Proxy"
00006:  callprop "create"
00009:  lambda (function () {return {get: Namespace};})
00012:  nullblockchain
00013:  push
00014:  call 0
00017:  call 1
00020:  call 1
00023:  pop
00024:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     0 [   0] newline 
  1:    2     3 [   3] newline 
  2:    3     6 [   3] pcbase   offset 3
  4:    3     9 [   3] newline 
  5:    4    14 [   5] pcbase   offset 5
  7:    4    17 [   3] pcbase   offset 14
  9:    4    20 [   3] pcbase   offset 20
 11:    4    24 [   4] setline  lineno 10

js> trap(f, 0, '')

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   70404:bb9e5496b0ac
user:        Luke Wagner
date:        Fri May 13 08:56:26 2011 -0700
summary:     Bug 656462, part 4 - Simplify stack code, keep track of native calls, create new iterator over native/scripted callstack, make JS_SaveFrameChain fallible (r=waldo,mrbkap)
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-07-02 22:27:47 PDT
Created attachment 543654 [details]
stack

stack is hideously long...
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-07-02 22:40:33 PDT
Still occurs on TM changeset d8e967b8afc8.
Comment 3 Luke Wagner [:luke] 2011-07-05 14:54:49 PDT
Created attachment 544072 [details] [diff] [review]
fix

More DEBUG-only ridiculousness resulting from new strong assertions plus AutoScriptUntrapper.
Comment 4 Jeff Walden [:Waldo] (remove +bmo to email) 2011-07-08 14:29:24 PDT
Comment on attachment 544072 [details] [diff] [review]
fix

Review of attachment 544072 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not sure this is the perfect, absolute most cleanest way to do this.  But it works, so meh.
Comment 5 Luke Wagner [:luke] 2011-07-11 10:26:57 PDT
http://hg.mozilla.org/tracemonkey/rev/60b1a6a58531
Comment 6 Joe Drew (not getting mail) 2011-07-16 18:44:16 PDT
This (along with most things committed on Friday afternoon) was backed out of mozilla-inbound in order to clear up orange.
Comment 8 Marco Bonardo [::mak] 2011-07-19 08:08:04 PDT
http://hg.mozilla.org/mozilla-central/rev/16b9dfded119

Note You need to log in before you can comment on or make changes to this bug.