found during the TopSite Tests on pcworld.com.cn using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090225 Firefox/3.2a1pre TM Debug Loading the Testcase cause: Assertion failure: cx->bailExit, at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638 Program received signal SIGTRAP, Trace/breakpoint trap. JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62 62 abort(); (gdb) bt #0 JS_Assert (s=0x3fd36a "cx->bailExit", file=0x3fc154 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=4638) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:62 #1 0x0037d78a in js_DeepBail (cx=0x12e1e00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4638 #2 0x002f0af4 in js_LeaveTrace (cx=0x12e1e00) at jscntxt.h:1418 #3 0x002f0b07 in js_GetTopStackFrame (cx=0x12e1e00) at jscntxt.h:1442 #4 0x002f5520 in InferFlags (cx=0x12e1e00, defaultFlags=65535) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:2090 #5 0x002f7868 in js_LookupPropertyWithFlags (cx=0x12e1e00, obj=0x14df8888, id=8385124, flags=65535, objp=0xbfff9490, propp=0xbfff948c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3624 #6 0x002fbd41 in js_GetPropertyHelper (cx=0x12e1e00, obj=0x14df8888, id=8385124, vp=0xbfff953c, entryp=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:3979 #7 0x002fc170 in js_GetProperty (cx=0x12e1e00, obj=0x14df8888, id=8385124, vp=0xbfff953c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4065 #8 0x002fedcd in js_TryMethod (cx=0x12e1e00, obj=0x14df8888, atom=0x7ff264, argc=0, argv=0x0, rval=0xbfff9590) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:5194 #9 0x002fef3e in js_DefaultValue (cx=0x12e1e00, obj=0x14df8888, hint=JSTYPE_STRING, vp=0xbfff9798) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsobj.cpp:4415 #10 0x00349261 in ArgToRootedString (cx=0x12e1e00, argc=2, vp=0xbfff9798, arg=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:257 #11 0x0035105a in match_or_replace (cx=0x12e1e00, glob=0x352f32 <replace_glob>, destroy=0x34a0ba <replace_destroy>, data=0xbfff96ec, argc=2, vp=0xbfff9790) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1291 #12 0x00352a27 in js_StringReplaceHelper (cx=0x12e1e00, argc=2, lambda=0x0, repstr=0x1494a340, vp=0xbfff9790) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1851 #13 0x00352c85 in String_p_replace_str (cx=0x12e1e00, str=0x1494d9c0, regexp=0x14df8888, repstr=0x1494a340) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsstr.cpp:1785 #14 0x001a7f74 in ?? () #15 0xbfffbe28 in ?? () #16 0x003a38e6 in js_MonitorLoopEdge (cx=0x12e1e00, inlineCallCount=@0xbfffc248) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:4228 #17 0x002bd88a in js_Interpret (cx=0x12e1e00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:3111 #18 0x002e310d in js_Execute (cx=0x12e1e00, chain=0x141de7e0, script=0x1684e00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1567 #19 0x0026ec2b in JS_EvaluateUCScriptForPrincipals (cx=0x12e1e00, obj=0x141de7e0, principals=0x1644def4, chars=0x168b008, length=2626, filename=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html", lineno=108, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5249 #20 0x0bbbbe7b in nsJSContext::EvaluateString (this=0x143f6e50, aScript=@0xbfffc884, aScopeObject=0x141de7e0, aPrincipal=0x1644def0, aURL=0x10a8ce38 "file:///work/mozilla/lithium/pcworld-testcase.html", aLineNo=108, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc804) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/src/base/nsJSEnvironment.cpp:1594 #21 0x0b99a70e in nsScriptLoader::EvaluateScript (this=0x1744f3b0, aRequest=0x10a9cbe0, aScript=@0xbfffc884) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:671 #22 0x0b99aade in nsScriptLoader::ProcessRequest (this=0x1744f3b0, aRequest=0x10a9cbe0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:585 #23 0x0b99bd78 in nsScriptLoader::ProcessScriptElement (this=0x1744f3b0, aElement=0x10e00714) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:539 #24 0x0b997508 in nsScriptElement::MaybeProcessScript (this=0x10e00714) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193 #25 0x0ba6bd47 in nsHTMLScriptElement::MaybeProcessScript (this=0x10e006f0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547 #26 0x0ba6ae27 in nsHTMLScriptElement::DoneAddingChildren (this=0x10e006f0, aHaveNotified=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484 #27 0x0ba9ad69 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x14d9000, content=0x10e006f0, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3134 #28 0x0ba9c587 in SinkContext::CloseContainer (this=0x10accbf0, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1023 #29 0x0ba9ca45 in HTMLContentSink::CloseContainer (this=0x14d9000, aTag=eHTMLTag_script) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2389 #30 0x13e56bf8 in CNavDTD::CloseContainer (this=0x10e31740, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2798 #31 0x13e579d8 in CNavDTD::HandleEndToken (this=0x10e31740, aToken=0x167f520) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1677 #32 0x13e5ac44 in CNavDTD::HandleToken (this=0x10e31740, aToken=0x167f520, aParser=0x10a907b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:761 #33 0x13e53f6a in CNavDTD::BuildModel (this=0x10e31740, aParser=0x10a907b0, aTokenizer=0xf706200, anObserver=0x0, aSink=0x14d9090) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:333 #34 0x13e66a81 in nsParser::BuildModel (this=0x10a907b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2384 #35 0x13e6ac21 in nsParser::ResumeParse (this=0x10a907b0, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257 #36 0x13e6a536 in nsParser::OnDataAvailable (this=0x10a907b0, request=0x10a8cf20, aContext=0x0, pIStream=0x10a8d35c, sourceOffset=0, aLength=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2910 #37 0x0cfd7f5f in nsDocumentOpenInfo::OnDataAvailable (this=0x10a8d150, request=0x10a8cf20, aCtxt=0x0, inStr=0x10a8d35c, sourceOffset=0, count=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306 #38 0x00ca0c44 in nsBaseChannel::OnDataAvailable (this=0x10a8cef0, request=0x10a8d2c0, ctxt=0x0, stream=0x10a8d35c, offset=0, count=4811) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708 #39 0x00cb44df in nsInputStreamPump::OnStateTransfer (this=0x10a8d2c0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508 #40 0x00cb4fe8 in nsInputStreamPump::OnInputStreamReady (this=0x10a8d2c0, stream=0x10a8d35c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398 #41 0x00506adc in nsInputStreamReadyEvent::Run (this=0x10a8d1e0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111 #42 0x005393ea in nsThread::ProcessNextEvent (this=0x815c70, mayWait=0, result=0xbfffd564) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510 #43 0x004c2b3a in NS_ProcessPendingEvents_P (thread=0x815c70, timeout=20) at nsThreadUtils.cpp:180 #44 0x09936c41 in nsBaseAppShell::NativeEventCallback (this=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121 #45 0x098eda4a in nsAppShell::ProcessGeckoEvents (aInfo=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:381 #46 0x90ffa5f5 in CFRunLoopRunSpecific () #47 0x90ffacd8 in CFRunLoopRunInMode () #48 0x9356b2c0 in RunCurrentEventLoopInMode () #49 0x9356b012 in ReceiveNextEventCommon () #50 0x9356af4d in BlockUntilNextEventMatchingListInMode () #51 0x95a6cd7d in _DPSNextEvent () #52 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #53 0x95a6566b in -[NSApplication run] () #54 0x098eb97a in nsAppShell::Run (this=0x8355d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:700 #55 0x0a5f23fa in nsAppStartup::Run (this=0x84ef40) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192 #56 0x000bc198 in XRE_main (argc=1, argv=0xbfffeaf8, aAppData=0x80edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3216 #57 0x000026e3 in main (argc=1, argv=0xbfffeaf8) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156

In the testcase in comment 1, the type instability comes from Object.prototype.extend = function(object) {}; Sticking stuff on Object.prototype doesn't mix well with for..in ;)

(In reply to comment #2) > Created an attachment (id=365137) [details] > simple shell testcase The attached testcase is: var w = [/a/, /b/, /c/, {}]; for (var i = 0; i < w.length; ++i) "".replace(w[i], ""); and this crashes opt TM js shell at LeaveTree near null, and also asserts at Assertion failure: cx->bailExit, at ../jstracer.cpp:4709

The first bad revision is: changeset: 24351:435d0fe86a78 user: Jason Orendorff date: Tue Feb 03 18:25:12 2009 -0600 summary: Bug 462027 - Bail off trace when reentering interpreter. r=gal. This should be a regression of bug 462027, as hg bisect reveals.

Yep, string_p_replace needs to be a _FAIL builtin. Easy fix (and possibly a duplicate?). P.S. Gary, my understanding of the jargon is that "regression of bug ######" means the same bug reappeared. This is a regression caused by the fix in bug 462027, not a regression of 462027. (As it happens, it is actually a reentry bug *revealed* by the fix in 462027, which makes such bugs into crashers!)

I was wrong, this doesn't really need to be _FAIL. It just needs to detect the problem case. Switching to _FAIL would let us stay on trace here, but I don't think it matters.

Comment on attachment 366427 [details] [diff] [review] v1 >diff --git a/js/src/jsstr.cpp b/js/src/jsstr.cpp >--- a/js/src/jsstr.cpp >+++ b/js/src/jsstr.cpp >@@ -1819,16 +1819,19 @@ str_replace(JSContext *cx, uintN argc, j > > return js_StringReplaceHelper(cx, argc, lambda, repstr, vp); > } > > #ifdef JS_TRACER > static JSString* FASTCALL > String_p_replace_str(JSContext* cx, JSString* str, JSObject* regexp, JSString* repstr) > { >+ if (!regexp || OBJ_GET_CLASS(cx, regexp) != &js_RegExpClass) >+ return NULL; >+ Why would regexp be NULL here? We have a special Null type on trace, so this "shouldn't happen (tm)." An assert instead maybe? > jsval vp[4] = { > JSVAL_NULL, STRING_TO_JSVAL(str), OBJECT_TO_JSVAL(regexp), STRING_TO_JSVAL(repstr) > }; > if (!js_StringReplaceHelper(cx, 2, NULL, repstr, vp)) > return NULL; > JS_ASSERT(JSVAL_IS_STRING(vp[0])); > return JSVAL_TO_STRING(vp[0]); > }

Good point. We don't assert that a pointer is non-null if we're about to read from it anyway. So just removing the !regexp check will do here. I added a one-line comment.

http://hg.mozilla.org/tracemonkey/rev/74c2e9230e7d /cvsroot/mozilla/js/tests/js1_5/Regress/regress-480147.js,v <-- regress-480147.js initial revision: 1.1

v 1.9.1, 1.9.2