Closed Bug 1026477 Opened 8 years ago Closed 8 years ago

Assertion failure: parent->isNative(), at vm/Interpreter.cpp:3617

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox33 --- affected

People

(Reporter: decoder, Assigned: jimb)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

The following testcase asserts on mozilla-central revision bb35d1b73634 (threadsafe build, run with --fuzzing-safe):


function foo() {
var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function () {
      dbg = new Debugger(debuggeeGlobal);
      dbg.onExceptionUnwind = function (frame, exc) {
          var s = '!';
          for (var f = frame; f.eval("function f() { debugger; g2.g(); }"); f = f.older)
          debuggeeGlobal.log += s;
      };
  } + ")();");
function f() {
  h();
}
f();
} foo();
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/c92f83e9a864
user:        Shu-yu Guo
date:        Thu Apr 24 01:59:37 2014 -0700
summary:     Bug 716647 - Part 5: Relax the no on-stack scripts restriction for addDebuggee. (r=jimb)

This iteration took 251.733 seconds to run.
Needinfo on shu based on comment 2.
Flags: needinfo?(shu)
I can take this.
Assignee: nobody → jimb
Reduced test case:

var g = newGlobal();
var dbg = new Debugger(g);
dbg.onDebuggerStatement = function (frame) {
  print('Hi!');
  frame.eval('function f() { }');
};

g.eval('(function () { var f = 42; debugger; })();');
Flags: needinfo?(shu)
Thanks, Jim!
The fuzzers hit this one again. Jim, did this fall off your radar?
Flags: needinfo?(jimb)
The assertion is checking that, when we do frame.eval('function f() { }'), the scope object on which we define f is a native object. It is instead a DebugScopeObject, a proxy that combines Call and Block object properties with stack frame slots to provide a complete view of the frame's environment.

I don't quite know why the assertion is there. But it is definitely necessary to accept DebugScopeObjects as targets of the function definition: I have test cases which demonstrate overwriting both scope object properties and stack frame slots; DebugScopeObjects are the only way to get that behavior.

(Note that the assertion is not concerned with which object gets captured as the function's environment, only with which object gets the new value for 'f'.)
Flags: needinfo?(jimb)
Comment on attachment 8538834 [details] [diff] [review]
Make EvaluateInEnv static to Debugger.cpp; JSD1 no longer uses it

Review of attachment 8538834 [details] [diff] [review]:
-----------------------------------------------------------------

(This patch screws up the code's indentation; my local copy has corrected that.)
Attachment #8538834 - Flags: review?(shu)
Attachment #8538838 - Flags: review?(shu)
Attachment #8538834 - Flags: review?(shu) → review+
Attachment #8538838 - Flags: review?(shu) → review+
Jim, is this ready for landing?
Flags: needinfo?(jimb)
Oh, probably! Thanks for the reminder. I'll re-check, and land.
Flags: needinfo?(jimb)
Rebased patch on current M-C. Try push:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=5b5915c7d8fe
Flags: in-testsuite+
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.