Closed Bug 418989 Opened 17 years ago Closed 17 years ago

js_FillPropertyCache Asserts and dies

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta5

People

(Reporter: MikeM, Assigned: brendan)

References

Details

Attachments

(1 file)

fix
(deleted), patch
shaver
: review+
Details | Diff | Splinter Review
js_FillPropertyCache trips on the following assert: ------------------ JS_ASSERT_IF(scopeIndex == 0, protoIndex != 1 || OBJ_GET_PROTO(cx, obj) == pobj); ------------------ protoIndex is set to 1 and scopeIndex is 0 I just pulled down the latest code form the trunk a few hours ago. Here's the call stack ------------ JS_Assert(const char * s=0x101e2fdc, const char * file=0x101e2fcc, int ln=223) Line 59 C js_FillPropertyCache(JSContext * cx=0x034daf30, JSObject * obj=0x03d12000, unsigned long kshape=243, unsigned int scopeIndex=0, unsigned int protoIndex=1, JSObject * pobj=0x03d12d80, JSScopeProperty * sprop=0x03537900, JSPropCacheEntry * * entryp=0x03d0ec20) Line 223 + 0x2e bytes C js_FindPropertyHelper(JSContext * cx=0x034daf30, long id=64041076, JSObject * * objp=0x03d0edfc, JSObject * * pobjp=0x03d0ee80, JSProperty * * propp=0x03d0ede8, JSPropCacheEntry * * entryp=0x03d0ec20) Line 3418 + 0x2b bytes C js_Interpret(JSContext * cx=0x034daf30, unsigned char * pc=0x033cdaeb, long * result=0x03d0eefc) Line 4748 + 0x26 bytes C js_Execute(JSContext * cx=0x034daf30, JSObject * chain=0x03d12000, JSScript * script=0x033cda10, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x03d0f0e8) Line 1649 + 0x13 bytes C JS_ExecuteScript(JSContext * cx=0x034daf30, JSObject * obj=0x03d12000, JSScript * script=0x033cda10, long * rval=0x03d0f0e8) Line 4823 + 0x19 bytes C
Any help on this would be appreciated. Debugging in release mode builds is getting old. :-) I'd be glad to "fix" it with a little guidance...
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
This bug was not fixed by bug #418139. Here's another call stack illustrating the problem: JS_Assert(const char * s=0x101dc68c, const char * file=0x101dc65c, int ln=250) Line 59 C js_FillPropertyCache(JSContext * cx=0x034db5c0, JSObject * obj=0x03d11000, unsigned long kshape=503, unsigned int scopeIndex=0, unsigned int protoIndex=1, JSObject * pobj=0x03d11020, JSScopeProperty * sprop=0x031c2b48, JSPropCacheEntry * * entryp=0x03d0ec50) Line 250 + 0x2e bytes C js_FindPropertyHelper(JSContext * cx=0x034db5c0, long id=64042404, JSObject * * objp=0x03d0ee30, JSObject * * pobjp=0x03d0eeb4, JSProperty * * propp=0x03d0ee1c, JSPropCacheEntry * * entryp=0x03d0ec50) Line 3418 + 0x2b bytes C js_Interpret(JSContext * cx=0x034db5c0, unsigned char * pc=0x034cd4e3, long * result=0x03d0ef44) Line 4921 + 0x26 bytes C js_Execute(JSContext * cx=0x034db5c0, JSObject * chain=0x03d11000, JSScript * script=0x034cd080, JSStackFrame * down=0x00000000, unsigned int flags=2048, long * result=0x03d0f11c) Line 1509 + 0x13 bytes C JS_ExecuteScript(JSContext * cx=0x034db5c0, JSObject * obj=0x03d11000, JSScript * script=0x034cd080, long * rval=0x03d0f11c) Line 4823 + 0x19 bytes C I pulled down the HEAD today. Let me know if you need anything else.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
MikeM: are you calling JS_SetPrototype in your code? What is the relation, if any, of pobj and obj along the prototype chain of obj? Start from (JSObject *)obj->fslots[0] and keep following fslots[0] till you hit null or pobj. /be
(In reply to comment #4) > MikeM: are you calling JS_SetPrototype in your code? No. > > What is the relation, if any, of pobj and obj along the prototype chain of obj? > Start from (JSObject *)obj->fslots[0] and keep following fslots[0] till you hit > null or pobj. > // was null from the begining. + (JSObject *)obj->fslots[0] 0x00000000 {map=??? fslots=0x00000004 dslots=??? } JSObject * Here are the other objects. + pobj 0x03d11020 {map=0x034b9898 fslots=0x03d11024 dslots=0x031c923c } JSObject * + obj 0x03d11000 {map=0x034b9620 fslots=0x03d11004 dslots=0x031cabb4 } JSObject * Let me know what else you want to see.
Best if you can hop on IRC and /query me (brendan or brendan_work) and we can avoid doing this via bugzilla. Also, please file a new bug. This is not the same bug that was patched, and the patch that landed is a fix that won't be backed out. One bug per patch is best. /be
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
Sorry, mixed this up with bug 418139. No patch here yet! /be
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assigned this to you Brendan so it doesn't get lost...
Assignee: general → brendan
Status: REOPENED → NEW
Priority: -- → P2
Real bug, would like to patch for b5. MikeM's embedding does something unusual but it breaks the property cache and the fix is easy. I'd rather fix sooner. /be
Status: NEW → ASSIGNED
Flags: blocking1.9?
Priority: P2 → P1
Target Milestone: --- → mozilla1.9beta5
Attached patch fix (deleted) — Splinter Review
MikeM, holler if this doesn't do it. /be
Attachment #310182 - Flags: review?(shaver)
Yes the fix is good. r+ from me!
Comment on attachment 310182 [details] [diff] [review] fix r=shaver -- I presume this is testable in shell?
Attachment #310182 - Flags: review?(shaver) → review+
(In reply to comment #12) > (From update of attachment 310182 [details] [diff] [review]) > r=shaver -- I presume this is testable in shell? It should be possible to extend the "it" object and its_resolve to test this bug. /be
Yep - lets get this for b5
Flags: blocking1.9? → blocking1.9+
Fixed -- will attend to the test after impending deadlines. js/src/jsinterp.c 3.480 js/src/jsinterp.h 3.88 /be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Depends on: 424311
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: