Joel Reymont (:joelr) Reporter
	Description • 15 years ago

Assertion failure: v == LOCKED_OBJ_GET_SLOT(pobj, sprop->slot), at ../../../mozilla-central/js/src/jsinterp.cpp:201

Program received signal SIGABRT, Aborted.
0x00007fff831f1ff6 in __kill ()
(gdb) where
#0  0x00007fff831f1ff6 in __kill ()
#1  0x00007fff83293072 in abort ()
#2  0x00000001038121e8 in JS_Assert (s=Could not find the frame base for "JS_Assert".
) at ../../../mozilla-central/js/src/jsutil.cpp:69
#3  0x000000010378f1a6 in js_FillPropertyCache (cx=0x122b5a310, obj=0x11ab7eb80, scopeIndex=0, protoIndex=0, pobj=0x11ab7eb80, sprop=0x11eb8f098, adding=0) at jsinterp.cpp:201
#4  0x00000001037a34be in js_GetPropertyHelper (cx=0x122b5a310, obj=0x11ab7eb80, id=4682477684, getHow=3, vp=0x7fff5fbfa1e0) at ../../../mozilla-central/js/src/jsobj.cpp:4424
#5  0x00000001037a359f in js_GetMethod (cx=0x122b5a310, obj=0x11ab7eb80, id=4682477684, getHow=3, vp=0x7fff5fbfa1e0) at ../../../mozilla-central/js/src/jsobj.cpp:4447
#6  0x0000000103774ce2 in js_Interpret (cx=0x122b5a310) at jsops.cpp:1627
#7  0x000000010378deef in js_Invoke (cx=0x122b5a310, argc=0, vp=0x1042a98a0, flags=0) at jsinterp.cpp:1385
#8  0x000000010374feee in js_fun_apply (cx=0x122b5a310, argc=0, vp=0x1042a9830) at ../../../mozilla-central/js/src/jsfun.cpp:2072
#9  0x000000010377889a in js_Interpret (cx=0x122b5a310) at jsops.cpp:2235
#10 0x000000010378deef in js_Invoke (cx=0x122b5a310, argc=3, vp=0x1042a9610, flags=0) at jsinterp.cpp:1385
#11 0x0000000103713cb2 in array_extra (cx=0x122b5a310, mode=FOREACH, argc=3, vp=0x1042a95c0) at ../../../mozilla-central/js/src/jsarray.cpp:3219
#12 0x0000000103714028 in array_forEach (cx=0x122b5a310, argc=2, vp=0x1042a95c0) at ../../../mozilla-central/js/src/jsarray.cpp:3275
#13 0x000000010377889a in js_Interpret (cx=0x122b5a310) at jsops.cpp:2235
#14 0x000000010378deef in js_Invoke (cx=0x122b5a310, argc=0, vp=0x1042a94b8, flags=0) at jsinterp.cpp:1385
#15 0x000000010374fb55 in js_fun_call (cx=0x122b5a310, argc=0, vp=0x1042a9450) at ../../../mozilla-central/js/src/jsfun.cpp:1981
#16 0x000000010377889a in js_Interpret (cx=0x122b5a310) at jsops.cpp:2235
#17 0x000000010378deef in js_Invoke (cx=0x122b5a310, argc=1, vp=0x1042a9438, flags=0) at jsinterp.cpp:1385
#18 0x000000010008d3a0 in nsXPCWrappedJSClass::CallMethod (this=0x117b067c0, wrapper=0x11e2e37e0, methodIndex=3, info=0x10416d690, nativeParams=0x7fff5fbfcd50) at ../../../../../mozilla-central/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1671
#19 0x0000000100084829 in nsXPCWrappedJS::CallMethod (this=0x11e2e37e0, methodIndex=3, info=0x10416d690, params=0x7fff5fbfcd50) at ../../../../../mozilla-central/js/src/xpconnect/src/xpcwrappedjs.cpp:570
#20 0x00000001011bf832 in PrepareAndDispatch (self=0x11d40fc20, methodIndex=3, args=0x7fff5fbfcec0, gpregs=0x7fff5fbfce40, fpregs=0x7fff5fbfce70) at ../../../../../../../mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
#21 0x00000001011be2ab in SharedStub () at xpt_struct.h:332
#22 0x0000000100721fc9 in nsEventListenerManager::HandleEventSubType (this=0x12305d2f0, aListenerStruct=0x1169579d8, aListener=0x11d40fc20, aDOMEvent=0x122ab0a20, aCurrentTarget=0x10466fe00, aPhaseFlags=6) at ../../../../mozilla-central/content/events/src/nsEventListenerManager.cpp:1034
#23 0x0000000100722516 in nsEventListenerManager::HandleEvent (this=0x12305d2f0, aPresContext=0x12369bed0, aEvent=0x122d32230, aDOMEvent=0x7fff5fbfd2a0, aCurrentTarget=0x10466fe00, aFlags=6, aEventStatus=0x7fff5fbfd2a8) at ../../../../mozilla-central/content/events/src/nsEventListenerManager.cpp:1140
#24 0x000000010074d7cc in nsEventTargetChainItem::HandleEvent (this=0x1041e5b00, aVisitor=@0x7fff5fbfd290, aFlags=6, aMayHaveNewListenerManagers=1) at ../../../../mozilla-central/content/events/src/nsEventDispatcher.cpp:244
#25 0x000000010074db19 in nsEventTargetChainItem::HandleEventTargetChain (this=0x1041e5898, aVisitor=@0x7fff5fbfd290, aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=1) at ../../../../mozilla-central/content/events/src/nsEventDispatcher.cpp:308
#26 0x000000010074e36e in nsEventDispatcher::Dispatch (aTarget=0x10466fe00, aPresContext=0x12369bed0, aEvent=0x122d32230, aDOMEvent=0x122ab0a20, aEventStatus=0x7fff5fbfd3ec, aCallback=0x0) at ../../../../mozilla-central/content/events/src/nsEventDispatcher.cpp:539
#27 0x000000010074e6c5 in nsEventDispatcher::DispatchDOMEvent (aTarget=0x10466fe00, aEvent=0x0, aDOMEvent=0x122ab0a20, aPresContext=0x12369bed0, aEventStatus=0x7fff5fbfd3ec) at ../../../../mozilla-central/content/events/src/nsEventDispatcher.cpp:601
#28 0x0000000100659d9c in nsDocument::DispatchEvent (this=0x10466fe00, aEvent=0x122ab0a20, _retval=0x7fff5fbfd4c4) at ../../../../mozilla-central/content/base/src/nsDocument.cpp:6206
#29 0x000000010062cec1 in nsContentUtils::DispatchTrustedEvent (aDoc=0x10466fe00, aTarget=0x10466fe00, aEventName=@0x7fff5fbfd530, aCanBubble=1, aCancelable=1, aDefaultAction=0x0) at ../../../../mozilla-central/content/base/src/nsContentUtils.cpp:3215
#30 0x0000000100662e72 in nsDocument::DispatchContentLoadedEvents (this=0x10466fe00) at ../../../../mozilla-central/content/base/src/nsDocument.cpp:3948
#31 0x000000010067219d in nsRunnableMethod<nsDocument, void>::Run (this=0x11e1ca030) at nsThreadUtils.h:264
#32 0x00000001011a509a in nsThread::ProcessNextEvent (this=0x105106530, mayWait=0, result=0x7fff5fbfd6e4) at ../../../mozilla-central/xpcom/threads/nsThread.cpp:527
#33 0x00000001011364b3 in NS_ProcessPendingEvents_P (thread=0x105106530, timeout=20) at nsThreadUtils.cpp:180
#34 0x00000001010bd3d4 in nsBaseAppShell::NativeEventCallback (this=0x103f26a60) at ../../../../mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:121
#35 0x000000010107d1d8 in nsAppShell::ProcessGeckoEvents (aInfo=0x103f26a60) at ../../../../mozilla-central/widget/src/cocoa/nsAppShell.mm:413
#36 0x00007fff87bf6281 in __CFRunLoopDoSources0 ()
#37 0x00007fff87bf4879 in __CFRunLoopRun ()
#38 0x00007fff87bf403f in CFRunLoopRunSpecific ()
#39 0x00007fff8626bc4e in RunCurrentEventLoopInMode ()
#40 0x00007fff8626b9b1 in ReceiveNextEventCommon ()
#41 0x00007fff8626b90c in BlockUntilNextEventMatchingListInMode ()
#42 0x00007fff80f37520 in _DPSNextEvent ()
#43 0x00007fff80f36e89 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#44 0x00007fff80efca7d in -[NSApplication run] ()
#45 0x000000010107bb8d in nsAppShell::Run (this=0x103f26a60) at ../../../../mozilla-central/widget/src/cocoa/nsAppShell.mm:766
#46 0x0000000100e2191a in nsAppStartup::Run (this=0x10514d230) at ../../../../../mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:182
#47 0x0000000100024088 in XRE_main (argc=5, argv=0x7fff5fbff2c0, aAppData=0x105100430) at ../../../mozilla-central/toolkit/xre/nsAppRunner.cpp:3418
#48 0x00000001000011ed in main (argc=5, argv=0x7fff5fbff2c0) at ../../../mozilla-central/browser/app/nsBrowserApp.cpp:156
(gdb)

	Joel Reymont (:joelr) Reporter
	Comment 1 • 15 years ago

(gdb) p DumpJSStack() 
0 anonymous(pageNum = 0) ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    element = http://www.linkedin.com/shareArticle?mini=true&url=&title=&summary=&source=
    i = 10
    itemsPerPage = 12
    groupDiv = [object HTMLDivElement @ 0x11f7cd140 (native @ 0x11f4ef330)]
    data = [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
    this = [object Object]
1 anonymous() ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    view = [object HTMLDivElement @ 0x11f1e1680 (native @ 0x11f5750c0)]
    this = [object Object]
2 anonymous(contents = [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]) ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    this = [object Object]
3 createSwList() ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    respectUserPrefs = false
    publisherPrefs = facebook,stumbleupon,google_bmarks,slashdot,delicious,reddit,technorati,mixx,yahoo_bmarks,yahoo_myweb,yahoo_buzz,windows_live,linkedin
    userPrefs = 
    defaultServices = myspace,digg,windows_live,delicious,stumbleupon,reddit,google_bmarks,linkedin,bebo,ybuzz,blogger,yahoo_bmarks,mixx,technorati,friendfeed,propeller,wordpress,newsvine,xanga,blinklist,twine,twackle,diigo,fark,faves,mister_wong,current,livejournal,kirtsy,slashdot,oknotizie,care2,meneame,simpy,blogmarks,n4g,bus_exchange,funp,sphinn,fresqui,dealsplus,typepad,yigg
    defaultServicesCSV = "myspace,digg,sms,windows_live,delicious,stumbleupon,reddit,google_bmarks,linkedin,bebo,ybuzz,blogger,yahoo_bmarks,mixx,technorati,friendfeed,propeller,wordpress,newsvine,xanga,blinklist,twine,twackle,diigo,fark,faves,mister_wong,current,livejournal,kirtsy,slashdot,oknotizie,care2,aim,meneame,simpy,blogmarks,n4g,bus_exchange,funp,sphinn,fresqui,dealsplus,typepad,yigg"
    carouselItems = [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
4 tab_servicesChanged() ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    newServices = myspace,digg,windows_live,delicious,stumbleupon,reddit,google_bmarks,linkedin,bebo,ybuzz,blogger,yahoo_bmarks,mixx,technorati,friendfeed,propeller,wordpress,newsvine,xanga,blinklist,twine,twackle,diigo,fark,faves,mister_wong,current,livejournal,kirtsy,slashdot,oknotizie,care2,meneame,simpy,blogmarks,n4g,bus_exchange,funp,sphinn,fresqui,dealsplus,typepad,yigg
    i = 2
    aim = false
    sms = false
    email = false
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
5 setGlobals(value = "web,post", strArg = "tabs") ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    answer = ""
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
6 processBuffer() ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    request = undefined
    i = 8
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
7 anonymous() ["http://w.sharethis.com/share3x/js/all.4.2.0-rc1.js":1]
    authCookie = undefined
    a = undefined
    html_str = "try{var pageTracker = _gat._getTracker("UA-1645146-9");pageTracker._trackPageview();} catch(err) {}"
    newScript = [object HTMLScriptElement @ 0x11f4cc2d0 (native @ 0x11f4cc1f0)]
    headID = [object HTMLHeadElement @ 0x11ede2d00 (native @ 0x11f3b0100)]
    gaJsHost = "http://www."
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
8 anonymous() ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
9 anonymous(event = undefined) ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    returns = [function]
    args = 
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
10 anonymous(fn = [function], 0, [function]) ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
11 anonymous(delay = undefined, args = undefined, type = "domready") ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    events = [object Object]
    this = [object Window @ 0x11f3bcd70 (native @ 0x11f3bafc8)]
12 anonymous() ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    this = [object HTMLDocument @ 0x11f3d5770 (native @ 0x12073e200)]
13 anonymous([object Event @ 0x11f5acfa0 (native @ 0x11f583b50)]) ["http://w.sharethis.com/share3x/js/mootools-1.2.1-core-nc.js":1]
    this = [object HTMLDocument @ 0x11f3d5770 (native @ 0x12073e200)]
$1 = void

	Joel Reymont (:joelr) Reporter
	Comment 2 • 15 years ago

Open the following page to reproduce:

http://www.pcworld.com/article/172631/verizon_scraps_palm_pre_plans_report_says.html

	Mike Shaver (:shaver -- probably not reading bugmail closely)
	Comment 3 • 15 years ago

Do we know when this started happening?

	Joel Reymont (:joelr) Reporter
	Comment 4 • 15 years ago

This is not specific to Snow Leopard or x86-64. It happens to bz on Leopard and it happens to me in x86-32.

I stumbled upon this issue today via Google News.

	Boris Zbarsky [:bzbarsky]
	Comment 5 • 15 years ago

So when we get here, v is the JSObject living inside a JSFunction.  sprop->slot is 3; pobj->fslots[3] is a function JSObject whose private is v.

I tried doing "save page, complete" on the page, but then the bug doesn't appear (perhaps the exceptions I hit locally preclude it being seen)...  So testcase might go away any minute.  :(

	juan becerra [:juanb]
	Comment 6 • 15 years ago

I tried reproducing the problem with the link in comment #2, using builds from 8/01 on, and I could not reproduce the crash on Snow Leopard.

	Joel Reymont (:joelr) Reporter
	Comment 7 • 15 years ago

I know bz was able to reproduce on Leopard and I'm able to consistently reproduce with a 64-bit version on Snow Leopard x86-64. I did not get a crash with a 32-bit version.

I would like someone to guide me through troubleshooting and fixing this before the page goes away.

Unfortunately, I cannot save the page because save is broken for me on Snow Leopard :-(. Been like this for a while now.

	Boris Zbarsky [:bzbarsky]
	Comment 8 • 15 years ago

Juan, were you testing with a debug build?  This is not a crash, really; this is a fatal assertion.  If you're using nightlies, you won't see it.

	Joel Reymont (:joelr) Reporter
	Comment 9 • 15 years ago

The 32-bit build where I cannot reproduce is not a debug build, that's the reason.

	Joel Reymont (:joelr) Reporter
	Comment 10 • 15 years ago

I was able to save a complete page but the assertion is not triggered upon load. I think this may be the reason:

JavaScript error: file:///Users/joelr/Downloads/verizon_scraps_palm_pre_plans_report_says_files/diggthis_data/omnidiggthis.js, line 20: $ is not defined
JavaScript error: http://media.digg.com/js/loader/262/omnidiggthis, line 20: $ is not defined
JavaScript error: http://media.digg.com/js/loader/262/omnidiggthis, line 20: $ is not defined

	Boris Zbarsky [:bzbarsky]
	Comment 12 • 15 years ago

I'm still bisecting using m-c debug builds, but it's certainly been narrowed to within the Sept 16 merge from t-m, and in particular to http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=7b89f2e27f31c8971a9223870a01f946372326fb&tochange=04371d453c99f9644145c4fb7cba6c442e46586b so far.

	Boris Zbarsky [:bzbarsky]
	Comment 13 • 15 years ago

Still bisecting, but my money is on bug 471214

	Boris Zbarsky [:bzbarsky]
	Comment 15 • 15 years ago

Yes, the garbage after the '#' in the script src is relevant (though perhaps not all of it).

	Boris Zbarsky [:bzbarsky]
	Comment 16 • 15 years ago

OK, that's not self-contained; it performs loads via an iframe.

	Boris Zbarsky [:bzbarsky]
	Comment 17 • 15 years ago

New URI to reduce: http://wd.sharethis.com/share3x/lightbox.4.2.0-rc1.html#init/tabs=web%2Cpost/charset=utf-8/services=facebook%2Cstumbleupon%2Cgoogle_bmarks%2Cslashdot%2Cdelicious%2Creddit%2Ctechnorati%2Cmixx%2Cyahoo_bmarks%2Cyahoo_myweb%2Cyahoo_buzz%2Cwindows_live%2Clinkedin/style=default/publisher=ca8b29c7-466d-4c03-8034-a5390ba56a00/hash_flag=false/sessionID=1253931554340.78742/fpc=false/pUrl=file%253A%252F%252F%252FUsers%252Fbzbarsky%252Ftest.html

	Boris Zbarsky [:bzbarsky]
	Comment 21 • 15 years ago

Bisect done:
The first bad revision is:
changeset:   32658:842e6c09e35a
user:        Brendan Eich <brendan@mozilla.org>
date:        Thu Sep 03 14:41:19 2009 -0700
summary:     Join lambdas assigned or initialized as methods to the compiler-created function object if we can, with a read barrier to clone on method value extractions other than call expressions (471214, r=jorendorff).

	Boris Zbarsky [:bzbarsky]
	Comment 22 • 15 years ago

So now (on that last testcase) |v| is a JSFunction* which has u.i->script looking like this:

  filename = 0x1e7e3521 "https://bug518830.bugzilla.mozilla.org/attachment.cgi?id=402992", 
  lineno = 4497, 

That line looks like so:

             getContent: function () {
               return widget.getDummyServiceLink()
             }

	Boris Zbarsky [:bzbarsky]
	Comment 23 • 15 years ago

Jesse, Gary, want to try reducing this thing further?

	Boris Zbarsky [:bzbarsky]
	Comment 24 • 15 years ago

On t-m, I do NOT see this bug.  I suppose I should bisect to figure out why....

	Brendan Eich [:brendan]
	Comment 25 • 15 years ago

How about bug 517637, a bug that blocks bug 471214 ?

/be

	Brendan Eich [:brendan]
	Comment 26 • 15 years ago

Rob said he was gonna merge tm to m-c.

/be

	Robert Sayre
	Comment 27 • 15 years ago

(In reply to comment #26)
> Rob said he was gonna merge tm to m-c.

just did

	Boris Zbarsky [:bzbarsky]
	Comment 28 • 15 years ago

Patch for bug 517637 fixes the original site and the testcases I attached.