Closed
Bug 1191499
Opened 9 years ago
Closed 9 years ago
Crash [@ js::ArgumentsObject::arg] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
People
(Reporter: decoder, Assigned: shu)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
1.69 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f3b757156f69 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --baseline-eager): setJitCompilerOption('ion.warmup.trigger', 2); setJitCompilerOption('offthread-compilation.enable', 0); var g = newGlobal(); var dbg2 = new Debugger; g.toggle = function toggle(x, d) { if (d) { dbg2.addDebuggee(g); dbg2.getNewestFrame().environment.getVariable("x"); } }; g.eval("" + function f(x, d) { toggle(++arguments, d); }); g.eval("(" + function test() { for (var i = 0; i < 30; i++) f(42, false); f(42, true); } + ")();"); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::ArgumentsObject::arg (this=0x7ffff3401330, i=0) at js/src/vm/ArgumentsObject.h:234 #0 js::ArgumentsObject::arg (this=0x7ffff3401330, i=0) at js/src/vm/ArgumentsObject.h:234 #1 0x000000000073ae0f in (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=cx@entry=0x7ffff6907000, debugScope=..., scope=..., scope@entry=..., id=..., id@entry=..., action=action@entry=(anonymous namespace)::DebugScopeProxy::GET, vp=..., vp@entry=..., accessResult=accessResult@entry=0x7fffffff8530, this=0x1ad7020 <(anonymous namespace)::DebugScopeProxy::singleton>) at js/src/vm/ScopeObject.cpp:1301 #2 0x000000000073c3a9 in getMaybeSentinelValue (this=0x1ad7020 <(anonymous namespace)::DebugScopeProxy::singleton>, vp=..., id=..., debugScope=..., cx=0x7ffff6907000) at js/src/vm/ScopeObject.cpp:1599 #3 js::DebugScopeObject::getMaybeSentinelValue (this=<optimized out>, cx=cx@entry=0x7ffff6907000, id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/ScopeObject.cpp:1801 #4 0x00000000006a0897 in DebuggerEnv_getVariable (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:7884 #5 0x00000000006cf7f2 in js::CallJSNative (cx=0x7ffff6907000, native=0x6a0640 <DebuggerEnv_getVariable(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #6 0x00000000006bf982 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:811 #7 0x00000000006c13f9 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffff8df8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:866 #8 0x00000000008eabda in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffff8e38, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff8de8, res=...) at js/src/jit/BaselineIC.cpp:10054 #9 0x00007ffff7feebdf in ?? () [...] #31 0x0000000000000000 in ?? () rax 0xfffc2b2b2b2b2b2b -1078435499005141 rbx 0x7ffff6907000 140737330049024 rcx 0xffffffff 4294967295 rdx 0x40 64 rsi 0x0 0 rdi 0x7ffff3401330 140737274450736 rbp 0x7fffffff8400 140737488323584 rsp 0x7fffffff8400 140737488323584 r8 0x1b 27 r9 0xda8c1646 3666613830 r10 0x7ffff69a9000 140737330712576 r11 0xfff9000000000000 -1970324836974592 r12 0x0 0 r13 0x7fffffff8490 140737488323728 r14 0x7fffffff8440 140737488323648 r15 0x1 1 rip 0x6cf248 <js::ArgumentsObject::arg(unsigned int) const+8> => 0x6cf248 <js::ArgumentsObject::arg(unsigned int) const+8>: cmpl $0xfffffff,0x10(%rax) 0x6cf24f <js::ArgumentsObject::arg(unsigned int) const+15>: jbe 0x6cf28f <js::ArgumentsObject::arg(unsigned int) const+79> Not s-s because this is debugger related.
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8644071 -
Flags: review?(jdemooij)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → shu
Status: NEW → ASSIGNED
Updated•9 years ago
|
Attachment #8644071 -
Flags: review?(jdemooij) → review+
Comment 4•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/718d9ac7f697
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•