Chris Jones [:cjones] inactive; ni?/f?/r? if you need me Reporter
	Description • 14 years ago

This was while loading the "new interface" in a background tab.  Will try to reproduce in a moment. 

(gdb) bt
#0  0x00007fb66726c471 in nanosleep () from /lib/libc.so.6
#1  0x00007fb66726c2c0 in __sleep (seconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/sleep.c:138
#2  0x00007fb66bbd60c3 in ah_crap_handler (signum=6) at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007fb66bbdae0d in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fffbe9b9df0, context=0x7fffbe9b9cc0) at nsProfileLock.cpp:221
#4  <signal handler called>
#5  0x00007fb66e87e05b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#6  0x00007fb66b26e558 in JS_Assert (s=0x7fb66b335730 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x7fb66b334ba0 "/home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp", ln=2738) at /home/cjones/mozilla/mozilla-central/js/src/jsutil.cpp:80
#7  0x00007fb66b186353 in HashLocalName (cx=0x3240130, map=0x7fb644cf5d10, name=0x7fb66b5bdd44, localKind=JSLOCAL_VAR, index=13) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2738
#8  0x00007fb66b186881 in js_AddLocal (cx=0x3240130, fun=0x7fb63b5a68c0, atom=0x7fb66b5bdd44, kind=JSLOCAL_VAR) at /home/cjones/mozilla/mozilla-central/js/src/jsfun.cpp:2860
#9  0x00007fb66b20bb49 in js::Parser::functionDef (this=0x7fffbe9bb2d0, lambda=0, namePermitted=true) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2677
#10 0x00007fb66b20c672 in js::Parser::functionStmt (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2965
#11 0x00007fb66b210577 in js::Parser::statement (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:4513
#12 0x00007fb66b20c8af in js::Parser::statements (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:3040
#13 0x00007fb66b2085cc in js::Parser::functionBody (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:1247
#14 0x00007fb66b20c176 in js::Parser::functionDef (this=0x7fffbe9bb2d0, lambda=8, namePermitted=true) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2829
#15 0x00007fb66b20c696 in js::Parser::functionExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:2971
#16 0x00007fb66b2196f7 in js::Parser::primaryExpr (this=0x7fffbe9bb2d0, tt=js::TOK_FUNCTION, afterDot=0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:7740
#17 0x00007fb66b21750a in js::Parser::memberExpr (this=0x7fffbe9bb2d0, allowCallSyntax=1) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6879
#18 0x00007fb66b2158a1 in js::Parser::unaryExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6252
#19 0x00007fb66b21513f in js::Parser::mulExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6093
#20 0x00007fb66b215059 in js::Parser::addExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6079
#21 0x00007fb66b214fad in js::Parser::shiftExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6068
#22 0x00007fb66b214e89 in js::Parser::relExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6046
#23 0x00007fb66b214dad in js::Parser::eqExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6027
#24 0x00007fb66b214d13 in js::Parser::bitAndExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6018
#25 0x00007fb66b214c79 in js::Parser::bitXorExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:6008
#26 0x00007fb66b214bdf in js::Parser::bitOrExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5999
#27 0x00007fb66b214b45 in js::Parser::andExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5990
#28 0x00007fb66b214aab in js::Parser::orExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5981
#29 0x00007fb66b214906 in js::Parser::condExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5946
#30 0x00007fb66b2145e4 in js::Parser::assignExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5868
#31 0x00007fb66b214844 in js::Parser::assignExpr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5923
#32 0x00007fb66b2143f9 in js::Parser::expr (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5832
#33 0x00007fb66b2135cb in js::Parser::statement (this=0x7fffbe9bb2d0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:5554
#34 0x00007fb66b207617 in js::Compiler::compileScript (cx=0x3240130, scopeChain=0x7fb641d62a80, callerFrame=0x0, principals=0x7fb644288a58, tcflags=24576, chars=0x7fb64fdd9018, length=815558, file=0x0, filename=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., lineno=1, source=0x0, staticLevel=0) at /home/cjones/mozilla/mozilla-central/js/src/jsparse.cpp:840
#35 0x00007fb66b12e56d in JS_EvaluateUCScriptForPrincipals (cx=0x3240130, obj=0x7fb641d62a80, principals=0x7fb644288a58, chars=0x7fb64fdd9018, length=815558, filename=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., lineno=1, rval=0x0) at /home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:4905
#36 0x00007fb66c4c264f in nsJSContext::EvaluateString (this=0x32400c0, aScript=..., aScopeObject=0x7fb641d62a80, aPrincipal=0x7fb644288a50, aURL=0x7fb6440af998 "http://mail.yimg.com/d/combo?/gx/t8a/js/yui_loader/ba87c64b1f20e3e7898b0dc28b2173a6_1.js&/gx/t8a/js/combo/init/us/d1290a63976b96e8e785156d6a6037d2_1.js&/gx/t7a/js/combo/init/us/ycw_gx_1.js&/pim/r/dcli"..., aLineNo=1, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffbe9bb790) at /home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:1779
#37 0x00007fb66c25618c in nsScriptLoader::EvaluateScript (this=0x7fb6443c3780, aRequest=0x7fb64409b1d0, aScript=...) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:752
#38 0x00007fb66c255b38 in nsScriptLoader::ProcessRequest (this=0x7fb6443c3780, aRequest=0x7fb64409b1d0) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:665
#39 0x00007fb66c2565e6 in nsScriptLoader::ProcessPendingRequests (this=0x7fb6443c3780) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:825
#40 0x00007fb66c257069 in nsScriptLoader::OnStreamComplete (this=0x7fb6443c3780, aLoader=0x7fb64435dde0, aContext=0x7fb64409b1d0, aStatus=0, aStringLen=815637, aString=0x7fb6447eb890 "if(typeof YAHOO==\"undefined\"||!YAHOO){var YAHOO={}}YAHOO.namespace=function(){var a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c=(\"\"+a[d]).split(\".\");b=YAHOO;for(e=(c[0]==\"YAHOO\")?1:0;e<c.length"...) at /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp:1013
#41 0x00007fb66bc51fa3 in nsStreamLoader::OnStopRequest (this=0x7fb64435dde0, request=0x7fb6442d99d0, ctxt=0x7fb64409b1d0, aStatus=0) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsStreamLoader.cpp:125
#42 0x00007fb66bc7708e in nsHTTPCompressConv::OnStopRequest (this=0x7fb6440d1700, request=0x7fb6442d99d0, aContext=0x7fb64409b1d0, aStatus=0) at /home/cjones/mozilla/mozilla-central/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:127
#43 0x00007fb66bc50d72 in nsStreamListenerTee::OnStopRequest (this=0x7fb6440dfed0, request=0x7fb6442d99d0, context=0x7fb64409b1d0, status=0) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:71
#44 0x00007fb66bd14968 in nsHttpChannel::OnStopRequest (this=0x7fb6442d9980, request=0x7fb6440fca70, ctxt=0x0, status=0) at /home/cjones/mozilla/mozilla-central/netwerk/protocol/http/src/nsHttpChannel.cpp:5321
#45 0x00007fb66bc183c2 in nsInputStreamPump::OnStateStop (this=0x7fb6440fca70) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:578
#46 0x00007fb66bc17c58 in nsInputStreamPump::OnInputStreamReady (this=0x7fb6440fca70, stream=0x7fb644660cd8) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:403
#47 0x00007fb66d0be679 in nsInputStreamReadyEvent::Run (this=0x7fb6444d29e0) at /home/cjones/mozilla/mozilla-central/xpcom/io/nsStreamUtils.cpp:112
#48 0x00007fb66d0ec839 in nsThread::ProcessNextEvent (this=0x10e3fd0, mayWait=1, result=0x7fffbe9bbc5c) at /home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:547


There's a lot of stdout/stderr right before the crash that might be relevant

JavaScript error: https://login.yahoo.com/config/login?, line 985: toCheck is undefined
++DOMWINDOW == 29 (0x3558b90) [serial = 43] [outer = 0x323fd60]
++DOMWINDOW == 30 (0x3317910) [serial = 44] [outer = 0x323fd60]
WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'.  See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131
WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'.  See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131
WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'.  See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131
WARNING: 1 sort operation has occurred for the SQL statement '0x2d07ca8'.  See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/cjones/mozilla/mozilla-central/storage/src/mozStoragePrivateHelpers.cpp, line 131
++DOMWINDOW == 31 (0x7fb6440ee790) [serial = 45] [outer = 0x323fd60]
WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159
WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427
WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159
WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427
WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159
WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427
WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159
WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427
WARNING: No script language registered for this mime-type: file /home/cjones/mozilla/mozilla-central/dom/base/nsDOMScriptObjectFactory.cpp, line 159
WARNING: Failed to find a scripting language: file /home/cjones/mozilla/mozilla-central/content/base/src/nsScriptLoader.cpp, line 427


This is with a debug build of http://hg.mozilla.org/rev/13b292f9ab79

	Chris Jones [:cjones] inactive; ni?/f?/r? if you need me Reporter
	Comment 1 • 14 years ago

This is 100% reproducible for me on mail.yahoo.com.

	Brendan Eich [:brendan]
	Comment 3 • 14 years ago

Need an owner -- assertbotches are must-fix-before-shipping (if not sooner).

/be

	Chris Leary [:cdleary] (not checking bugmail) Assignee
	Comment 4 • 14 years ago

I'll take it.

	Chris Leary [:cdleary] (not checking bugmail) Assignee
	Comment 5 • 14 years ago

Reproducible on tracemonkey tip.

I constructed this example:

function outer(a) { var b, c, d, e, f, g, h, i; function a() {} }

Scenario: A top level function is inside a function body where a local is already defined as an argument (|a| in this example), when you have more than MAX_ARRAY_LOCALS, which hits a HashLocalName on an atom that has been previously defined.

The assertion posits that the only duplicated identifiers in the locals map are arguments (which I didn't realize JS permitted!), and the function has to be added as a local for BindNameToSlot to work on it, so the addition is in violation.

Talk about state space! Will have a patch once I analyze the rest of the invocation sites -- we don't want to leave YUI broken in debug mode, if that's what this part of the big minified blob is.

(Note to future self: minified code is annoying -- make some better jschar* dumping functions...)

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 6 • 14 years ago

js> function outer(a) { var b, c, d, e, f, g, h, i; function a() {} }
Assertion failure: entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG, at ../jsfun.cpp:2716

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb5d in JS_Assert (s=0x1e97b0 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x1e93eb "../jsfun.cpp", ln=2716) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) 
(gdb) bt
#0  0x0014fb5d in JS_Assert (s=0x1e97b0 "entry->localKind == JSLOCAL_ARG && localKind == JSLOCAL_ARG", file=0x1e93eb "../jsfun.cpp", ln=2716) at ../jsutil.cpp:77
#1  0x0006c328 in HashLocalName (cx=0x809200, map=0x40cb80, name=0x20bd54, localKind=JSLOCAL_VAR, index=8) at ../jsfun.cpp:2716
#2  0x0006c8f6 in js_AddLocal (cx=0x809200, fun=0x10049d8, atom=0x20bd54, kind=JSLOCAL_VAR) at ../jsfun.cpp:2838
#3  0x000f976f in js::Parser::functionDef (this=0xbffff43c, lambda=0, namePermitted=true) at ../jsparse.cpp:2672
#4  0x00100d77 in js::Parser::functionStmt (this=0xbffff43c) at ../jsparse.cpp:2960
#5  0x000f5aac in js::Parser::statement (this=0xbffff43c) at ../jsparse.cpp:4498
#6  0x000f8e50 in js::Parser::statements (this=0xbffff43c) at ../jsparse.cpp:3035
#7  0x000f903a in js::Parser::functionBody (this=0xbffff43c) at ../jsparse.cpp:1242
#8  0x000f9d6c in js::Parser::functionDef (this=0xbffff43c, lambda=0, namePermitted=true) at ../jsparse.cpp:2824
#9  0x00100d77 in js::Parser::functionStmt (this=0xbffff43c) at ../jsparse.cpp:2960
#10 0x000f5aac in js::Parser::statement (this=0xbffff43c) at ../jsparse.cpp:4498
#11 0x000f8e50 in js::Parser::statements (this=0xbffff43c) at ../jsparse.cpp:3035
#12 0x00100dce in js::Parser::parse (this=0xbffff43c, chain=0x1002000) at ../jsparse.cpp:677
#13 0x00016d25 in JS_BufferIsCompilableUnit (cx=0x809200, obj=0x1002000, bytes=0x40c750 "function outer(a) { var b, c, d, e, f, g, h, i; function a() {} }", length=65) at ../jsapi.cpp:4479
#14 0x000098c2 in Process (cx=0x809200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:452
#15 0x0000a369 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff7ec, argc=1) at ../../shell/js.cpp:843
#16 0x0000a482 in shell (cx=0x809200, argc=1, argv=0xbffff7ec, envp=0xbffff7f4) at ../../shell/js.cpp:5025
#17 0x0000a5a6 in main (argc=1, argv=0xbffff7ec, envp=0xbffff7f4) at ../../shell/js.cpp:5112

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 7 • 14 years ago

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   35287:6708e8f357f2
user:        Jim Blandy
date:        Thu Nov 26 10:23:52 2009 -0800
summary:     Bug 499524: Always check for duplicates when destructuring params are present. r=igor

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 8 • 14 years ago

JS assertions are critical.

	Brendan Eich [:brendan]
	Comment 9 • 14 years ago

Duplicate formals are an ES1 botch, something not in Netscape, something that the Microsoft rep insisted on. I don't recall why (maybe just because JScript allowed them). They are a blight on the spec and on all implementations.

/be

	Chris Leary [:cdleary] (not checking bugmail) Assignee
	Comment 10 • 14 years ago

This bug became obsolete when the JSScope removal happened, since variable data became stored in the shape tree: http://hg.mozilla.org/tracemonkey/rev/e5958cd4a135

Nice complexity reduction!

	Chris Leary [:cdleary] (not checking bugmail) Assignee
	Comment 11 • 14 years ago

http://hg.mozilla.org/tracemonkey/rev/053d66804a49
http://hg.mozilla.org/tracemonkey/rev/713cde946260

	Robert Sayre
	Comment 12 • 14 years ago

http://hg.mozilla.org/mozilla-central/rev/053d66804a49

	Bob Clary [:bc] (inactive)
	Comment 13 • 14 years ago

I can reproduce this assertion on 1.9.2 linux/mac at least on http://www.arabianbusiness.com/ste-unique-opportunity-for-middle-east-354164.html

file new bug?

	Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)
	Comment 14 • 14 years ago

(In reply to comment #13)
> I can reproduce this assertion on 1.9.2 linux/mac at least on
> http://www.arabianbusiness.com/ste-unique-opportunity-for-middle-east-354164.html
> 
> file new bug?

The fuzzers find this too.

Bug 558451 fixed this, but it seems like a large patch that shouldn't be backported unless there are compelling reasons.

	Daniel Veditz [:dveditz]
	Comment 15 • 14 years ago

Unless there's more evidence of a security problem we don't want to take the fix for bug 558451 on the 1.9.2 branch.

	Carsten Book [:Tomcat]
	Comment 16 • 14 years ago

just for reference on the 1.9.2 branch this is also reproducible on http://www.tudou.com/playlist/p/a65404.html?iid=71677615

	Christian Holler (:decoder)
	Comment 17 • 12 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug568276.js.