Carsten Book [:Tomcat] Reporter
	Description • 16 years ago

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090416 Firefox/3.6a1pre

found during the topsite tests with the latest TM Build. Seems to be a regression because does not happen with builds 2 days old.

Steps to reproduce:
Just load a major site like gmx.net 
--> Assertion failure


Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1  0x003adb79 in TraceRecorder::record_SetPropMiss (this=0xff72f90, entry=0x6eab58) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7478
#2  0x002dd69a in js_Interpret (cx=0xb37c00) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:4803
#3  0x002f26f3 in js_Execute (cx=0xb37c00, chain=0x1485c6a0, script=0xf98a00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1632
#4  0x00276bd5 in JS_EvaluateUCScriptForPrincipals (cx=0xb37c00, obj=0x1485c6a0, principals=0x16bbcec4, chars=0xfe9a008, length=50516, filename=0xff79438 "http://js.ui-portal.de/gmx/home/js/20090331/prototype.js", lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5154
#5  0x0bb4aa51 in nsJSContext::EvaluateString (this=0x136ea350, aScript=@0xff794c4, aScopeObject=0x1485c6a0, aPrincipal=0x16bbcec0, aURL=0xff79438 "http://js.ui-portal.de/gmx/home/js/20090331/prototype.js", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffd0c4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:1603
#6  0x0b924b34 in nsScriptLoader::EvaluateScript (this=0x16bbe6e0, aRequest=0xff794b0, aScript=@0xff794c4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:686
#7  0x0b924f04 in nsScriptLoader::ProcessRequest (this=0x16bbe6e0, aRequest=0xff794b0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:600
#8  0x0b924f90 in nsScriptLoader::ProcessPendingRequests (this=0x16bbe6e0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:739
#9  0x0b9252de in nsScriptLoader::OnStreamComplete (this=0x16bbe6e0, aLoader=0xff79880, aContext=0xff794b0, aStatus=0, aStringLen=50516, aString=0xfe84008 "/* DON'T EDIT THIS GENERATED FILE! Changes will be lost. */\r\n\r\n/*  Prototype JavaScript framework, version 1.4.0\r\n *  (c) 2005 Sam Stephenson <sam@conio.net>\r\n *\r\n *  Prototype is freely distributable"...) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:926
#10 0x0948ca4b in nsStreamLoader::OnStopRequest (this=0xff79880, request=0xff79510, ctxt=0xff794b0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamLoader.cpp:108
#11 0x094b07d7 in nsHTTPCompressConv::OnStopRequest (this=0xff7b620, request=0xff79510, aContext=0xff794b0, aStatus=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#12 0x0948c058 in nsStreamListenerTee::OnStopRequest (this=0xff7a6e0, request=0xff79510, context=0xff794b0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:65
#13 0x0953a25d in nsHttpChannel::OnStopRequest (this=0xff794e0, request=0xff79f80, ctxt=0x0, status=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:4907
#14 0x09457d24 in nsInputStreamPump::OnStateStop (this=0xff79f80) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:576
#15 0x09457e44 in nsInputStreamPump::OnInputStreamReady (this=0xff79f80, stream=0xff79e6c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:401
#16 0x00516c4e in nsInputStreamReadyEvent::Run (this=0xff79d60) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#17 0x00549d0c in nsThread::ProcessNextEvent (this=0x715980, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#18 0x004d2b1e in NS_ProcessPendingEvents_P (thread=0x715980, timeout=20) at nsThreadUtils.cpp:180
#19 0x098d48f9 in nsBaseAppShell::NativeEventCallback (this=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#20 0x0988b39a in nsAppShell::ProcessGeckoEvents (aInfo=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#21 0x90ffa5f5 in CFRunLoopRunSpecific ()
#22 0x90ffacd8 in CFRunLoopRunInMode ()
#23 0x9356b2c0 in RunCurrentEventLoopInMode ()
#24 0x9356b0d9 in ReceiveNextEventCommon ()
#25 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#26 0x95a6cd7d in _DPSNextEvent ()
#27 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#28 0x95a6566b in -[NSApplication run] ()
#29 0x098887f4 in nsAppShell::Run (this=0x735320) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#30 0x0a57d37a in nsAppStartup::Run (this=0x74ef50) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#31 0x0008198c in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#32 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156

	Brendan Eich [:brendan]
	Comment 1 • 16 years ago

Can someone (auto)bisect and find the regressing changeset? Thanks,

/be

	Carsten Book [:Tomcat] Reporter
	Comment 2 • 16 years ago

working on a testcase

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 3 • 16 years ago

I'm quite sure I saw this in my jsfunfuzz boxes. The testcase during reduction morphed to bug 488693.

	Carsten Book [:Tomcat] Reporter
	Comment 4 • 16 years ago

loading this testcase cause:

Program received signal SIGTRAP, Trace/breakpoint trap.
JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
69	    abort();
(gdb) bt
#0  JS_Assert (s=0x410f88 "scope->shape == PCVCAP_SHAPE(entry->vcap)", file=0x40db28 "/work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp", ln=7478) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsutil.cpp:69
#1  0x003adb79 in TraceRecorder::record_SetPropMiss (this=0x14cb7b80, entry=0x6ebd68) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jstracer.cpp:7478
#2  0x002dd69a in js_Interpret (cx=0xb30400) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsinterp.cpp:4803
#3  0x002f26f3 in js_Execute (cx=0xb30400, chain=0x12e8e940, script=0xe8ee00, down=0x0, flags=0, result=0x0) at jsinterp.cpp:1632
#4  0x00276bd5 in JS_EvaluateUCScriptForPrincipals (cx=0xb30400, obj=0x12e8e940, principals=0x14c03004, chars=0xf413008, length=10213, filename=0x14c63788 "file:///work/mozilla/lithium/bebo1.html", lineno=1, rval=0x0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/js/src/jsapi.cpp:5154
#5  0x0bb4aa51 in nsJSContext::EvaluateString (this=0x14b0b400, aScript=@0xbfffc824, aScopeObject=0x12e8e940, aPrincipal=0x14c03000, aURL=0x14c63788 "file:///work/mozilla/lithium/bebo1.html", aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0xbfffc7a4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/dom/base/nsJSEnvironment.cpp:1603
#6  0x0b924b34 in nsScriptLoader::EvaluateScript (this=0x14c4a1f0, aRequest=0x14b81590, aScript=@0xbfffc824) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:686
#7  0x0b924f04 in nsScriptLoader::ProcessRequest (this=0x14c4a1f0, aRequest=0x14b81590) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:600
#8  0x0b9261ac in nsScriptLoader::ProcessScriptElement (this=0x14c4a1f0, aElement=0x14cb5f64) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptLoader.cpp:554
#9  0x0b92190c in nsScriptElement::MaybeProcessScript (this=0x14cb5f64) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/base/src/nsScriptElement.cpp:193
#10 0x0b9f6c2d in nsHTMLScriptElement::MaybeProcessScript (this=0x14cb5f40) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:547
#11 0x0b9f5d0d in nsHTMLScriptElement::DoneAddingChildren (this=0x14cb5f40, aHaveNotified=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/content/src/nsHTMLScriptElement.cpp:484
#12 0x0ba253c9 in HTMLContentSink::ProcessSCRIPTEndTag (this=0x97dc00, content=0x14cb5f40, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:3135
#13 0x0ba2636f in SinkContext::CloseContainer (this=0xaaf4950, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:1022
#14 0x0ba28aad in HTMLContentSink::CloseContainer (this=0x97dc00, aTag=eHTMLTag_script) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/content/html/document/src/nsHTMLContentSink.cpp:2388
#15 0x14413600 in CNavDTD::CloseContainer (this=0x146ed450, aTag=eHTMLTag_script, aMalformed=0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:2797
#16 0x144143e0 in CNavDTD::HandleEndToken (this=0x146ed450, aToken=0xd948d0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:1676
#17 0x1441764c in CNavDTD::HandleToken (this=0x146ed450, aToken=0xd948d0, aParser=0x16b11580) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:760
#18 0x14410972 in CNavDTD::BuildModel (this=0x146ed450, aParser=0x16b11580, aTokenizer=0x14cad300, anObserver=0x0, aSink=0x97dc94) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/CNavDTD.cpp:332
#19 0x14422391 in nsParser::BuildModel (this=0x16b11580) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2375
#20 0x144278f0 in nsParser::ResumeParse (this=0x16b11580, allowIteration=1, aIsFinalChunk=0, aCanInterrupt=1) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2257
#21 0x144271ec in nsParser::OnDataAvailable (this=0x16b11580, request=0x16b20420, aContext=0x0, pIStream=0x16b8cfdc, sourceOffset=0, aLength=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/parser/htmlparser/src/nsParser.cpp:2904
#22 0x0cff096d in nsDocumentOpenInfo::OnDataAvailable (this=0xaa23cc0, request=0x16b20420, aCtxt=0x0, inStr=0x16b8cfdc, sourceOffset=0, count=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/uriloader/base/nsURILoader.cpp:306
#23 0x094439cc in nsBaseChannel::OnDataAvailable (this=0x16b203f0, request=0x15cee110, ctxt=0x0, stream=0x16b8cfdc, offset=0, count=10232) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsBaseChannel.cpp:708
#24 0x0945732b in nsInputStreamPump::OnStateTransfer (this=0x15cee110) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:508
#25 0x09457e34 in nsInputStreamPump::OnInputStreamReady (this=0x15cee110, stream=0x16b8cfdc) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/netwerk/base/src/nsInputStreamPump.cpp:398
#26 0x00516c4e in nsInputStreamReadyEvent::Run (this=0x14c56520) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/io/nsStreamUtils.cpp:111
#27 0x00549d0c in nsThread::ProcessNextEvent (this=0x715980, mayWait=0, result=0xbfffd4e4) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/xpcom/threads/nsThread.cpp:510
#28 0x004d2b1e in NS_ProcessPendingEvents_P (thread=0x715980, timeout=20) at nsThreadUtils.cpp:180
#29 0x098d48f9 in nsBaseAppShell::NativeEventCallback (this=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#30 0x0988b39a in nsAppShell::ProcessGeckoEvents (aInfo=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:412
#31 0x90ffa63f in CFRunLoopRunSpecific ()
#32 0x90ffacd8 in CFRunLoopRunInMode ()
#33 0x9356b2c0 in RunCurrentEventLoopInMode ()
#34 0x9356b012 in ReceiveNextEventCommon ()
#35 0x9356af4d in BlockUntilNextEventMatchingListInMode ()
#36 0x95a6cd7d in _DPSNextEvent ()
#37 0x95a6c630 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#38 0x95a6566b in -[NSApplication run] ()
#39 0x098887f4 in nsAppShell::Run (this=0x733130) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/widget/src/cocoa/nsAppShell.mm:723
#40 0x0a57d37a in nsAppStartup::Run (this=0x74f340) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:192
#41 0x0008198c in XRE_main (argc=1, argv=0xbfffea7c, aAppData=0x70edf0) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/toolkit/xre/nsAppRunner.cpp:3340
#42 0x000026e3 in main (argc=1, argv=0xbfffea7c) at /work/mozilla/builds/1.9.1-tracemonkey/mozilla/browser/app/nsBrowserApp.cpp:156
(gdb)

	Carsten Book [:Tomcat] Reporter
	Comment 5 • 16 years ago

another example topsite who exit with this fatal assertions are: bebo.com, web.de and gmx.net 

because web.de and gmx.net are very popular sites in germany i request blocking

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 6 • 16 years ago

The testcase, gmx.net, web.de and bebo.com all WFM with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre on a fresh profile.

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 7 • 16 years ago

(In reply to comment #6)
> The testcase, gmx.net, web.de and bebo.com all WFM with Mozilla/5.0 (Macintosh;
> U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre
> on a fresh profile.

My bad - I was testing the opt nightly binary.

	Brendan Eich [:brendan]
	Comment 8 • 16 years ago

Anyone bisect yet (Gary ;-)?

/be

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 9 • 16 years ago

This shell testcase asserts only if you parse it in as a parameter (i.e. ./js -j testcase.js), I didn't assert when I pasted into the shell.

$ ./js-dbg-tm-intelmac -j testcase.js 
Assertion failure: scope->shape == PCVCAP_SHAPE(entry->vcap), at ../jstracer.cpp:7476
Trace/BPT trap

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 10 • 16 years ago

autoBisect, who is one of our best friends, shows that this is probably related to bug 487204 :

The first bad revision is:
changeset:   27215:dccd96fc69cc
user:        Igor Bukanov
date:        Thu Apr 16 02:36:14 2009 +0200
summary:     bug 487204 - avoiding extra locks for js_Native(Get|Set). r=brendan

	Brendan Eich [:brendan]
	Comment 11 • 16 years ago

What about a non-debug build? Was this bug more than a bogus assertion botch bug?

/be

	Brendan Eich [:brendan]
	Comment 12 • 16 years ago

Fixed by back-out of patch for bug 487204.

/be

	Carsten Book [:Tomcat] Reporter
	Comment 13 • 16 years ago

verified

	Robert Sayre
	Comment 14 • 16 years ago

should be ok, but needs to be verified.

	Henrik Skupin [:whimboo][⌚️UTC+2]
	Comment 15 • 16 years ago

Verified fixed with xpcshell testcase and the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre)
Gecko/20090522 Minefield/3.6a1pre ID:20090522133810

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre)
Gecko/20090522 Shiretoko/3.5pre ID:20090522153422

	Damon Sicore (:damons)
	Comment 16 • 15 years ago

Would have blocked.