Closed Bug 722806 Opened 13 years ago Closed 5 months ago

Assertion failure: offset < script->length running textbox.xml constructor

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: graememcc, Unassigned)

Details

Attachments

(2 files)

call js_DumpScript(cx, script)
1.26 KB, text/plain
Details
Valid bytecode
1.28 KB, text/plain
Details
Started hitting this last week with my development profile. Only just had chance to satisfy myself it looks like a legitimate bug, When I started hitting this, it was after my first recompile for a few days, giving an entirely unhelpful initial regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=49936b49aff3&tochange=e758551e3924 (gdb) bt #0 0x00007ffff7bcea0b in raise () from /lib/libpthread.so.0 #1 0x00007ffff3fe84a1 in CrashInJS () at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsutil.cpp:97 #2 0x00007ffff3fe84fa in JS_Assert (s=0x7ffff48075b7 "offset < script->length", file=0x7ffff4807908 "/home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp", ln=77) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsutil.cpp:114 #3 0x00007ffff41cd798 in js::analyze::ScriptAnalysis::addJump (this=0x7fffd8ab8e50, cx=0x7fffe3ed7f10, offset=173408328, currentOffset=0x7fffffff9b88, forwardJump=0x7fffffff9b98, stackDepth=2) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp:77 #4 0x00007ffff41c8b39 in js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffd8ab8e50, cx=0x7fffe3ed7f10) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp:541 #5 0x00007ffff3ef3285 in JSScript::makeAnalysis (this=0x7fffd9745d48, cx=0x7fffe3ed7f10) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinfer.cpp:5572 #6 0x00007ffff3ef8a74 in JSScript::ensureRanAnalysis (this=0x7fffd9745d48, cx=0x7fffe3ed7f10, scope=0x7fffdeeb3740 [Object ChromeWindow] delegate) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinferinlines.h:1386 #7 0x00007ffff3f23194 in js::types::TypeMonitorCall (cx=0x7fffe3ed7f10, args=..., constructing=false) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinferinlines.h:330 #8 0x00007ffff3f15c6e in js::Interpret (cx=0x7fffe3ed7f10, entryFrame=0x7fffe06ff030, interpMode=js::JSINTERP_NORMAL) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:2811 #9 0x00007ffff3f0985d in js::RunScript (cx=0x7fffe3ed7f10, script=0x7fffd9745e30, fp=0x7fffe06ff030) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:474 #10 0x00007ffff3f09ba4 in js::InvokeKernel (cx=0x7fffe3ed7f10, args=..., construct=js::NO_CONSTRUCT) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:537 #11 0x00007ffff3e6d5eb in js::Invoke (cx=0x7fffe3ed7f10, args=..., construct=js::NO_CONSTRUCT) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.h:157 #12 0x00007ffff3f09d9d in js::Invoke (cx=0x7fffe3ed7f10, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffffffac30) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:569 #13 0x00007ffff3e495dc in JS_CallFunctionValue (cx=0x7fffe3ed7f10, obj=0x7fffd9741af0 [Object XULElement], fval=$jsval(0x7fffd97e0e80 [Object Function ""]), argc=0, argv=0x0, rval=0x7fffffffac30) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsapi.cpp:5452 #14 0x00007ffff2b2a021 in nsXBLProtoImplAnonymousMethod::Execute (this=0x7fffd93f9a30, aBoundElement=0x7fffd8b991a0) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLProtoImplMethod.cpp:365 #15 0x00007ffff2b139e7 in nsXBLPrototypeBinding::BindingAttached (this=0x7fffd93e4080, aBoundElement=0x7fffd8b991a0) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLPrototypeBinding.cpp:525 #16 0x00007ffff2b0ee93 in nsXBLBinding::ExecuteAttachedHandler (this=0x7fffd8b97380) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLBinding.cpp:951 #17 0x00007ffff2b0ee68 in nsXBLBinding::ExecuteAttachedHandler (this=0x7fffd8b973c0) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLBinding.cpp:948 #18 0x00007ffff2b0ee68 in nsXBLBinding::ExecuteAttachedHandler (this=0x7fffd8b97400) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLBinding.cpp:948 #19 0x00007ffff2b3d975 in nsBindingManager::ProcessAttachedQueue (this=0x7fffdb0b6570, aSkipSize=0) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsBindingManager.cpp:1052 #20 0x00007ffff246cb50 in PresShell::InitialReflow (this=0x7fffdaf07800, aWidth=60, aHeight=60) at /home/graememcc/moz/trunk/debug_mozwork/src/layout/base/nsPresShell.cpp:1975 #21 0x00007ffff2b530f4 in nsXULDocument::StartLayout (this=0x7fffdafcc000) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xul/document/src/nsXULDocument.cpp:2026 #22 0x00007ffff2b570c8 in nsXULDocument::DoneWalking (this=0x7fffdafcc000) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xul/document/src/nsXULDocument.cpp:3165 #23 0x00007ffff2b56d40 in nsXULDocument::ResumeWalk (this=0x7fffdafcc000) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xul/document/src/nsXULDocument.cpp:3114 #24 0x00007ffff2b58762 in nsXULDocument::OnStreamComplete (this=0x7fffdafcc000, aLoader=0x7fffd993d6c0, context=0x0, aStatus=0, stringLen=58125, string= 0x7fffdf14e000 "/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */\n/* ***** BEGIN LICENSE BLOCK *****\n * Version: MPL 1.1/GPL 2.0/LGPL 2.1\n *\n * The contents of this file are subject to t"...) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xul/document/src/nsXULDocument.cpp:3570 #25 0x00007ffff215684c in nsStreamLoader::OnStopRequest (this=0x7fffd993d6c0, request=0x7fffdaf66170, ctxt=0x0, aStatus=0) at /home/graememcc/moz/trunk/debug_mozwork/src/netwerk/base/src/nsStreamLoader.cpp:127 #26 0x00007ffff2102e06 in nsBaseChannel::OnStopRequest (this=0x7fffdaf66120, request=0x7fffd9912680, ctxt=0x0, status=0) at /home/graememcc/moz/trunk/debug_mozwork/src/netwerk/base/src/nsBaseChannel.cpp:745 #27 0x00007ffff2118437 in nsInputStreamPump::OnStateStop (this=0x7fffd9912680) at /home/graememcc/moz/trunk/debug_mozwork/src/netwerk/base/src/nsInputStreamPump.cpp:583 #28 0x00007ffff2117c66 in nsInputStreamPump::OnInputStreamReady (this=0x7fffd9912680, stream=0x7fffdaf1d318) at /home/graememcc/moz/trunk/debug_mozwork/src/netwerk/base/src/nsInputStreamPump.cpp:405 #29 0x00007ffff3908293 in nsInputStreamReadyEvent::Run (this=0x7fffd993d740) at /home/graememcc/moz/trunk/debug_mozwork/src/xpcom/io/nsStreamUtils.cpp:114 #30 0x00007ffff392b20b in nsThread::ProcessNextEvent (this=0x7ffff6d56aa0, mayWait=false, result=0x7fffffffb5bf) at /home/graememcc/moz/trunk/debug_mozwork/src/xpcom/threads/nsThread.cpp:657 #31 0x00007ffff38bbb57 in NS_ProcessNextEvent_P (thread=0x7ffff6d56aa0, mayWait=false) at /home/graememcc/moz/trunk/debug_mozwork/src/obj/xpcom/build/nsThreadUtils.cpp:245 #32 0x00007ffff376b730 in mozilla::ipc::MessagePump::Run (this=0x7fffe8e51240, aDelegate=0x7ffff6dcdc70) at /home/graememcc/moz/trunk/debug_mozwork/src/ipc/glue/MessagePump.cpp:110 #33 0x00007ffff397ac6d in MessageLoop::RunInternal (this=0x7ffff6dcdc70) at /home/graememcc/moz/trunk/debug_mozwork/src/ipc/chromium/src/base/message_loop.cc:208 #34 0x00007ffff397abfe in MessageLoop::RunHandler (this=0x7ffff6dcdc70) at /home/graememcc/moz/trunk/debug_mozwork/src/ipc/chromium/src/base/message_loop.cc:201 #35 0x00007ffff397abd7 in MessageLoop::Run (this=0x7ffff6dcdc70) at /home/graememcc/moz/trunk/debug_mozwork/src/ipc/chromium/src/base/message_loop.cc:175 ---Type <return> to continue, or q <return> to quit--- #36 0x00007ffff35f5632 in nsBaseAppShell::Run (this=0x7fffe3d9d0b0) at /home/graememcc/moz/trunk/debug_mozwork/src/widget/xpwidgets/nsBaseAppShell.cpp:189 #37 0x00007ffff3325bfe in nsAppStartup::Run (this=0x7fffe3df70b0) at /home/graememcc/moz/trunk/debug_mozwork/src/toolkit/components/startup/nsAppStartup.cpp:220 #38 0x00007ffff20c0a61 in XRE_main (argc=4, argv=0x7fffffffe258, aAppData=0x622c40) at /home/graememcc/moz/trunk/debug_mozwork/src/toolkit/xre/nsAppRunner.cpp:3537 #39 0x0000000000402442 in do_main (exePath=0x7fffffffd150 "/home/graememcc/moz/trunk/debug_mozwork/src/obj/dist/bin/", argc=4, argv=0x7fffffffe258) at /home/graememcc/moz/trunk/debug_mozwork/src/browser/app/nsBrowserApp.cpp:205 #40 0x00000000004026a9 in main (argc=4, argv=0x7fffffffe258) at /home/graememcc/moz/trunk/debug_mozwork/src/browser/app/nsBrowserApp.cpp:295 (gdb) f 3 #3 0x00007ffff41cd798 in js::analyze::ScriptAnalysis::addJump (this=0x7fffd8ac5e50, cx=0x7fffe3ed7f10, offset=173408328, currentOffset=0x7fffffff9b88, forwardJump=0x7fffffff9b98, stackDepth=2) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp:77 77 JS_ASSERT(offset < script->length); (gdb) p script->length $1 = 145 (gdb) p offset $2 = 173408328
Updating this build, I'm now failing in JSScript::GetObject. (gdb) bt ... #2 0x00007ffff3fdc646 in JS_Assert (s=0x7ffff475e19a "index < arr->length", file=0x7ffff475e130 "/home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsscript.h", ln=720) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsutil.cpp:114 #3 0x00007ffff3eea5e1 in JSScript::getObject (this=0x7fffd97db438, index=22785) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsscript.h:720 #4 0x00007ffff3f55fa3 in NumBlockSlots (script=0x7fffd97db438, pc=0x7fffd9888353 <incomplete sequence \306>) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsopcode.cpp:208 #5 0x00007ffff3f561e7 in js::StackDefs (script=0x7fffd97db438, pc=0x7fffd9888353 <incomplete sequence \306>) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsopcode.cpp:247 #6 0x00007ffff41bb2c3 in js::analyze::GetDefCount (script=0x7fffd97db438, offset=39) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.h:225 #7 0x00007ffff41bc25f in js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffd9876608, cx=0x7fffe3d136e0) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp:297 #8 0x00007ffff3ee6da1 in JSScript::makeAnalysis (this=0x7fffd97db438, cx=0x7fffe3d136e0) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinfer.cpp:5565 #9 0x00007ffff3eec5fc in JSScript::ensureRanAnalysis (this=0x7fffd97db438, cx=0x7fffe3d136e0, scope=0x7fffd96120a0 [Object XULElement]) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinferinlines.h:1389 #10 0x00007ffff3f16a76 in js::types::TypeMonitorCall (cx=0x7fffe3d136e0, args=..., constructing=false) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinferinlines.h:330 #11 0x00007ffff3efd5f0 in js::InvokeKernel (cx=0x7fffe3d136e0, args=..., construct=js::NO_CONSTRUCT) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:501 #12 0x00007ffff3e60e9b in js::Invoke (cx=0x7fffe3d136e0, args=..., construct=js::NO_CONSTRUCT) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.h:157 #13 0x00007ffff3efd8b6 in js::Invoke (cx=0x7fffe3d136e0, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffffffac70) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsinterp.cpp:549 #14 0x00007ffff3e3ce7e in JS_CallFunctionValue (cx=0x7fffe3d136e0, obj=0x7fffd96120a0 [Object XULElement], fval=$jsval(0x7fffd96a5b80 [Object Function ""]), argc=0, argv=0x0, rval=0x7fffffffac70) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsapi.cpp:5454 #15 0x00007ffff2b132e9 in nsXBLProtoImplAnonymousMethod::Execute (this=0x7fffdf00a790, aBoundElement=0x7fffda32b980) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLProtoImplMethod.cpp:365 #16 0x00007ffff2afcc4d in nsXBLPrototypeBinding::BindingAttached (this=0x7fffd95acc80, aBoundElement=0x7fffda32b980) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLPrototypeBinding.cpp:525 #17 0x00007ffff2af80c9 in nsXBLBinding::ExecuteAttachedHandler (this=0x7fffd9354440) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsXBLBinding.cpp:951 #18 0x00007ffff2b26c3d in nsBindingManager::ProcessAttachedQueue (this=0x7fffdafd90c0, aSkipSize=0) at /home/graememcc/moz/trunk/debug_mozwork/src/content/xbl/src/nsBindingManager.cpp:1052 #19 0x00007ffff2455329 in PresShell::InitialReflow (this=0x7fffdaecb400, aWidth=60, aHeight=60) at /home/graememcc/moz/trunk/debug_mozwork/src/layout/base/nsPresShell.cpp:1977 ... (gdb) f 3 #3 0x00007ffff3eea5e1 in JSScript::getObject (this=0x7fffd97db438, index=22785) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsscript.h:720 720 JS_ASSERT(index < arr->length); (gdb) p index $1 = 22785 (gdb) p arr->length $2 = 3 (gdb) f 4 #4 0x00007ffff3f55fa3 in NumBlockSlots (script=0x7fffd97db438, pc=0x7fffd9888353 <incomplete sequence \306>) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsopcode.cpp:208 208 return script->getObject(GET_UINT32_INDEX(pc))->asStaticBlock().slotCount(); (gdb) p script->filename $3 = 0x7fffdf00a6d1 "chrome://global/content/bindings/popup.xml" (gdb) p script->lineno $6 = 233
(gdb) f 7 #7 0x00007ffff41bc25f in js::analyze::ScriptAnalysis::analyzeBytecode (this=0x7fffd9876608, cx=0x7fffe3d136e0) at /home/graememcc/moz/trunk/debug_mozwork/src/js/src/jsanalyze.cpp:297 (gdb) call js_DumpScript(cx, script) Output attached (gdb) call PrintBytecode(cx, script, pc) #1:00039: 237 enterblock object
Attached file Valid bytecode
OK, so this seems to be specific to that profile, strongly suggesting some kind of startupCache corruption. It turns out, the startupCache file for the assertion hitting profile was last written to on January 14th. Creating a new profile works fine. Hence, I have no idea if the bytecode in the previous attachment is even valid. I set a break in the same place to capture the bytecode for that file/lineno in the working profile (attached) for contrast. Of course, both popup.xml and the JS bytecode version have changed since then, so there may be too many moving parts for this to provide any sort of meaningful comparison. The failures in the various protections against an out-of-date startup cache are interesting: nsAppRunner will blow away the caches if the version number differs from the "last version run" in compatibility.ini. I've tried to use this faulty profile either side of the 12/13 version bump on January 31st, and compatibility.ini for that profile shows 13.0a1_20120204130152/20120204130152. So, at some point after the 31st, AppRunner has said we should blow away the cache, but then written the new last version to the file. The build has then crashed before an updated cache can be written to disk, so it will now happily allow the invalid cache to be loaded. Also, serialised XPCOM JS components have a JS bytecode version, and items coming from the cache are discarded if this is out of date. I can see the asserts from these when loading the invalid cache, so these are being correctly detected. However, serialised XBL such as popup.xml stores individually serialised functions, with no such versioning information. Is this safe?
Whoops, this one dropped off my radar for a bit. It's a startup cache bug, right, not a JS engine bug per se? Is the bug still affecting you?
Assignee: general → nobody
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: