Closed Bug 591602 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: pobj == found,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

testcase
(deleted), text/plain
Details
Attached file testcase (deleted) — 
Attached testcase asserts 32-bit js debug shell on JM changeset e0487d27eb6c with -m at Assertion failure: pobj == found, at ../jsinterp.cpp:1987

Tested on Mac 10.6.4.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0016ecd7 in JS_Assert (s=0x282bec "pobj == found", file=0x283f98 "../jsinterp.cpp", ln=1987) at ../jsutil.cpp:80
80          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0016ecd7 in JS_Assert (s=0x282bec "pobj == found", file=0x283f98 "../jsinterp.cpp", ln=1987) at ../jsutil.cpp:80
#1  0x00093b94 in AssertValidPropertyCacheHit (cx=0x60aa60, script=0x60cf50, regs=@0xbfffeaf4, pcoff=0, start=0x14027e0, found=0x14027e0, entry=0x831438) at ../jsinterp.cpp:1987
#2  0x0009c072 in js::Interpret (cx=0x60aa60, entryFrame=0x1000100, inlineCallCount=1) at ../jsinterp.cpp:3278
#3  0x0024f89a in InlineCall (f=@0xbffff3c0, flags=0, pret=0xbffff380, argc=0) at ../methodjit/InvokeHelpers.cpp:297
#4  0x0024fcdc in js::mjit::stubs::SlowCall (f=@0xbffff3c0, argc=0) at ../methodjit/InvokeHelpers.cpp:394
#5  0x005cdb7d in ?? ()
#6  0x001ff14d in EnterMethodJIT (cx=0x60aa60, fp=0x1000098, code=0x5cd05c, safePoint=0x0) at ../methodjit/MethodJIT.cpp:757
#7  0x001ff30f in js::mjit::JaegerShot (cx=0x60aa60) at ../methodjit/MethodJIT.cpp:783
#8  0x000bcbed in js::RunScript (cx=0x60aa60, script=0x86d000, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:465
#9  0x000be5d0 in js::Execute (cx=0x60aa60, chain=0x1402000, script=0x86d000, down=0x0, flags=0, result=0x0) at jsinterp.cpp:942
#10 0x00016e77 in JS_ExecuteScript (cx=0x60aa60, obj=0x1402000, script=0x86d000, rval=0x0) at ../jsapi.cpp:4776
#11 0x0000c490 in Process (cx=0x60aa60, obj=0x1402000, filename=0xbffff93f "pobjFoundAssert.js", forceTTY=0) at ../../shell/js.cpp:442
#12 0x0000d203 in ProcessArgs (cx=0x60aa60, obj=0x1402000, argv=0xbffff820, argc=2) at ../../shell/js.cpp:862
#13 0x0000d31c in shell (cx=0x60aa60, argc=2, argv=0xbffff820, envp=0xbffff82c) at ../../shell/js.cpp:5150
#14 0x0000d440 in main (argc=2, argv=0xbffff820, envp=0xbffff82c) at ../../shell/js.cpp:5246
I can reproduce this on Mac only. The property cache entry for BINDNAME gets confused - js_FindIdentifierBase returns:
  obj = fp->scopeChain  (a Block object)
  obj2 = obj.parent
  pobj = obj.parent.proto

Without -m, obj->shape() != pobj->shape(). With -m, they are equal. PropertyCache::fill() somehow gets fooled into storing an entry that returns |fp->scopeChain| instead of hopping a link.

Without -m, a shape regeneration evolves |obj|'s shape from 38 to 44. With -m, it stays at 38.
This went away with bug 558451 (JSScope removal).
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug591602.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: