Closed
Bug 1100316
Opened 10 years ago
Closed 10 years ago
Assertion failure: frame.isDebuggee(), at vm/Debugger-inl.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox36 | --- | affected |
People
(Reporter: gkw, Assigned: shu)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
7.39 KB,
text/plain
|
Details | |
5.01 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
// Random chosen test: js/src/jit-test/tests/debug/resumption-03.js g = newGlobal() g.debuggeeGlobal = this g.eval("(" + function() { dbg = new Debugger(debuggeeGlobal); dbg.onDebuggerStatement = function() {} } + ")()") // jsfunfuzz-generated code for (c in (function() { yield })()) h asserts js debug shell on m-c changeset a52bf59965a0 with --ion-eager --no-threads at Assertion failure: frame.isDebuggee(), at vm/Debugger-inl.h. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is: http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/debug/resumption-03.js Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/b160657339f8 user: Shu-yu Guo date: Thu Nov 13 14:39:39 2014 -0800 summary: Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34 user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem) changeset: https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb) changeset: https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4 user: Shu-yu Guo date: Thu Nov 13 14:39:40 2014 -0800 summary: Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem) changeset: https://hg.mozilla.org/mozilla-central/rev/06d07689a043 user: Shu-yu Guo date: Thu Nov 13 14:39:41 2014 -0800 summary: Bug 1032869 - Part 4: Add an auto-updated DebugModeOSRVolatileJitFrameIterator. (r=jandem) Shu-yu, is bug 1032869 or bug 1063330 a likely regressor?
Flags: needinfo?(shu)
Reporter | ||
Comment 1•10 years ago
|
||
(lldb) bt 5 * thread #1: tid = 0x557144, 0x00000001006b73c4 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::mainThread(this=<unavailable>) const + 28 at Stack.h:1098, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001006b73c4 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::mainThread(this=<unavailable>) const + 28 at Stack.h:1098 frame #1: 0x00000001006b73a8 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::interpreterFrame() const at jscntxt.h:513 frame #2: 0x00000001006b73a8 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(cx=<unavailable>, frame=(ptr_ = 140734799796866), ok=<unavailable>) + 856 at Debugger-inl.h:17 frame #3: 0x00000001004238a6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::DebugEpilogue(cx=0x0000000101d01b90, frame=0x00007fff5fbfda80, pc=<unavailable>, ok=true) + 294 at VMFunctions.cpp:802 frame #4: 0x000000010031c313 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::HandleClosingGeneratorReturn(JSContext*, js::jit::JitFrameIterator const&, unsigned char*, unsigned char*, js::jit::ResumeFromException*, bool*) [inlined] js::jit::ForcedReturn(cx=0x0000000101d01b90, frame=<unavailable>, pc=0x0000000101b3809f) + 38 at IonFrames.cpp:516 (lldb)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon: update] → [jsbugmon:update]
Assignee | ||
Comment 2•10 years ago
|
||
JSOP_DEBUGAFTERYIELD was only catching the 'next' case.
Attachment #8524119 -
Flags: review?(jdemooij)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → shu
Flags: needinfo?(shu)
Assignee | ||
Comment 3•10 years ago
|
||
Forgot to commit code...
Attachment #8524119 -
Attachment is obsolete: true
Attachment #8524119 -
Flags: review?(jdemooij)
Attachment #8524222 -
Flags: review?(jdemooij)
Comment 4•10 years ago
|
||
Comment on attachment 8524222 [details] [diff] [review] Mark resumed BaselineFrames as debuggee when resuming from generator throw/close. Review of attachment 8524222 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/debug/execution-observability-02.js @@ +4,5 @@ > +var g = newGlobal(); > +var dbg = new Debugger(g); > + > +var hits = 0; > +dbg.onEnterFrame = function (f) { hits++; }; Does the test fail without the patch? Since we don't call onEnterFrame when resuming a generator.. (Alternative is gen.throw(<val>) with an onExceptionUnwind hook, maybe.)
Attachment #8524222 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 5•10 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #4) > Comment on attachment 8524222 [details] [diff] [review] > Mark resumed BaselineFrames as debuggee when resuming from generator > throw/close. > > Review of attachment 8524222 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/jit-test/tests/debug/execution-observability-02.js > @@ +4,5 @@ > > +var g = newGlobal(); > > +var dbg = new Debugger(g); > > + > > +var hits = 0; > > +dbg.onEnterFrame = function (f) { hits++; }; > > Does the test fail without the patch? Since we don't call onEnterFrame when > resuming a generator.. > Yeah, it asserts when leaving the frame. The onEnterFrame there is really to put the compartment into the "debugger observing everything" mode, which trips an assert when leaving frames that checks for parity between the compartment observing everything and frames being marked debuggee.
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/41b6e6ea91a9
Comment 7•10 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #5) > The onEnterFrame there is really to > put the compartment into the "debugger observing everything" mode, which > trips an assert when leaving frames that checks for parity between the > compartment observing everything and frames being marked debuggee. Ah, great idea to assert that.
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/41b6e6ea91a9
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•