Closed Bug 571744 Opened 14 years ago Closed 14 years ago

TM: "Assertion failure: slot < (uint32)dslots[-1]," with delete, gc

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.3a5
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: brendan)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][critsmash:investigating] fixed-in-tracemonkey)

Attachments

(1 file)

fix
(deleted), patch
dvander
: review+
Details | Diff | Splinter Review
for each(w in [0, 0, this]) { w.y = NaN; delete w.y; gc() } asserts js debug shell on TM tip with -j at Assertion failure: slot < (uint32)dslots[-1], at ../jsobj.h:319 s-s because this involves gc. Assuming [sg:critical?] unless otherwise noted. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 42772:fc98415b2fad user: Brendan Eich date: Tue Jun 01 19:42:37 2010 -0700 summary: Trace JSOP_DEL{PROP,ELEM} (523452, r=gal). === (gdb) bt #0 0x0012d422 in __kernel_vsyscall () #1 0x0013c230 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x08166565 in JS_Assert (s=0x8239021 "slot < (uint32)dslots[-1]", file=0x8239016 "../jsobj.h", ln=319) at ../jsutil.cpp:80 #3 0x081bae12 in JSObject::getSlotRef (this=0xb7a02000, slot=179) at ../jsobj.h:320 #4 0x081b8a19 in VisitGlobalSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, globalObj=0xb7a02000, ngslots=3, gslots=0x829c0bc) at ../jstracer.cpp:1811 #5 0x081b8307 in VisitSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, globalObj=0xb7a02000, callDepth=0, ngslots=3, gslots=0x829c0bc) at ../jstracer.cpp:1841 #6 0x081b7224 in VisitSlots<js::DetermineTypesVisitor> (visitor=..., cx=0x829ce28, callDepth=0, ngslots=3, gslots=0x829c0bc) at ../jstracer.cpp:1849 #7 0x0818a9dd in js::TraceRecorder::snapshot (this=0x82a2f40, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4001 #8 0x0818b22a in js::TraceRecorder::guard (this=0x82a2f40, expected=true, cond=0x8270168, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4208 #9 0x081aa637 in js::TraceRecorder::record_NativeCallComplete (this=0x82a2f40) at ../jstracer.cpp:12911 #10 0x08201908 in js_Interpret (cx=0x829ce28) at ../jsops.cpp:2151 #11 0x080caf28 in js_Execute (cx=0x829ce28, chain=0xb7a02000, script=0x82a4628, down=0x0, flags=0, result=0x0) at ../jsinterp.cpp:854 #12 0x0806c2cd in JS_ExecuteScript (cx=0x829ce28, obj=0xb7a02000, script=0x82a4628, rval=0x0) at ../jsapi.cpp:4608 #13 0x0804af1d in Process (cx=0x829ce28, obj=0xb7a02000, filename=0xbffff5ca "/home/netbook150/w15259-reduced.js", forceTTY=0) at ../../shell/js.cpp:422 #14 0x0804bc1a in ProcessArgs (cx=0x829ce28, obj=0xb7a02000, argv=0xbffff408, argc=2) at ../../shell/js.cpp:836 #15 0x0805386a in shell (cx=0x829ce28, argc=2, argv=0xbffff408, envp=0xbffff414) at ../../shell/js.cpp:5018 #16 0x08053986 in main (argc=2, argv=0xbffff408, envp=0xbffff414) at ../../shell/js.cpp:5107
Assertion failure: slot < (uint32)dslots[-1], at ../jsobj.h:319 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000 0x0000000100156b6e in JS_Assert (s=0x1001eb958 "slot < (uint32)dslots[-1]", file=0x1001e9e28 "../jsobj.h", ln=319) at ../jsutil.cpp:77 77 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) up #1 0x00000001001aef79 in JSObject::getSlotRef (this=0x101402000, slot=179) at jsobj.h:320 320 dslots[slot - JS_INITIAL_NSLOTS]); (gdb) l 315 316 jsval& getSlotRef(uintN slot) { 317 return (slot < JS_INITIAL_NSLOTS) 318 ? fslots[slot] 319 : (JS_ASSERT(slot < (uint32)dslots[-1]), 320 dslots[slot - JS_INITIAL_NSLOTS]); 321 } 322 323 jsval getSlot(uintN slot) const { 324 return (slot < JS_INITIAL_NSLOTS) (gdb) p slot $1 = 179 (gdb) up #2 0x000000010017e51c in js::VisitGlobalSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, globalObj=0x101402000, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1811 1811 visitor.visitGlobalSlot(&globalObj->getSlotRef(slot), n, slot); (gdb) up #3 0x000000010017e97a in js::VisitSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, globalObj=0x101402000, callDepth=0, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1841 1841 VisitGlobalSlots(visitor, cx, globalObj, ngslots, gslots); (gdb) up #4 0x000000010017e9d3 in js::VisitSlots<js::DetermineTypesVisitor> (visitor=@0x7fff5fbfe910, cx=0x100412200, callDepth=0, ngslots=3, gslots=0x10089f3e8) at ../jstracer.cpp:1849 1849 VisitSlots(visitor, cx, cx->fp->scopeChain->getGlobal(), (gdb) #5 0x000000010017f89f in js::TraceRecorder::snapshot (this=0x100415720, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4001 4001 tree->globalSlots->data()); (gdb) #6 0x000000010018117f in js::TraceRecorder::guard (this=0x100415720, expected=true, cond=0x1008a9a30, exitType=js::STATUS_EXIT) at ../jstracer.cpp:4208 4208 guard(expected, cond, snapshot(exitType)); (gdb) #7 0x000000010019416b in js::TraceRecorder::record_NativeCallComplete (this=0x100415720) at ../jstracer.cpp:12911 12911 guard(true, lir->insEqI_0(status), STATUS_EXIT); (gdb) up #8 0x000000010009bfa2 in js_Interpret (cx=0x100412200) at jsops.cpp:2151 2151 TRACE_0(NativeCallComplete); (gdb) p cx.regs.pc - script.code $2 = 46 (gdb) p script.length $3 = 54 (gdb) call js_Disassemble(cx, script, 0, __stdoutp) 00000: trace main: 00001: newinit 3 00003: zero 00004: zero 00005: initelem 00006: one 00007: zero 00008: initelem 00009: int8 2 00011: this 00012: initelem 00013: endinit 00014: iter 3 00016: goto 48 (32) 00019: trace 00020: forname "w" 00023: name "w" 00026: name "NaN" 00029: setprop "y" 00032: pop 00033: name "w" 00036: delprop "y" 00039: pop 00040: callname "gc" 00043: call 0 00046: trace 00047: pop 00048: moreiter 00049: ifne 19 (-30) 00052: enditer 00053: stop $4 = 1 (gdb) fr 1 #1 0x00000001001aef79 in JSObject::getSlotRef (this=0x101402000, slot=179) at jsobj.h:320 320 dslots[slot - JS_INITIAL_NSLOTS]); (gdb) p dslots $5 = (jsval *) 0x1008a3a08 (gdb) p dslots[-1] $6 = 179 (gdb) p slot $7 = 179 Deleting a global property upsets the trace recorder's idea of what is a valid global slot. I'm focusing on 558451 and could use a hand here -- cc'ing tracing friends. I'll get to this if no one else does. One quick fix would be to abort on the global object at recording time, and bail at runtime. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5
(In reply to comment #1) The quick fix sounds best to me, and is consistent with other ways we handle indirectly modifying globals on trace.
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
blocking2.0: ? → final+
Attached patch fix (deleted) — Splinter Review
Attachment #453167 - Flags: review?(dvander)
Attachment #453167 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/e20e6e032cc7 /be
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:critical?][critsmash:investigating] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/e20e6e032cc7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: