Closed Bug 1107937 Opened 5 years ago Closed 5 years ago

Assertion failure: frame_.isGlobalFrame() || frame_.isDebuggerEvalFrame(), at js/src/vm/ScopeObject.cpp:1255

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox36 --- fixed
firefox37 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision a9fc46355661 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --ion-eager --no-threads):

var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function() {
    dbg = new Debugger(debuggeeGlobal);
    dbg.onExceptionUnwind = function(frame, exc) {
        var s = '!';
        for (var f = frame; f; f = f.older)
            debuggeeGlobal.log += s;
    };
} + ")();");
function t() {
    function a(w) {}
    function r() {
        a(3);
        w(4);
    }
    for (var i = 0; i < 100; i++) {
        r();
    }
}
t();


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x086dc97b in js::ScopeIter::settle (this=this@entry=0xffffc9ac) at js/src/vm/ScopeObject.cpp:1255
1255	        MOZ_ASSERT(frame_.isGlobalFrame() || frame_.isDebuggerEvalFrame());
#0  0x086dc97b in js::ScopeIter::settle (this=this@entry=0xffffc9ac) at js/src/vm/ScopeObject.cpp:1255
#1  0x086dcc14 in js::ScopeIter::ScopeIter (this=0xffffc9ac, frame=..., pc=0x96c842f ":", cx=0x9601838, _notifier=...) at js/src/vm/ScopeObject.cpp:1122
#2  0x08364202 in HandleExceptionBaseline (calledDebugEpilogue=0xffffc93c, unwoundScopeToPc=<synthetic pointer>, rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:620
#3  js::jit::HandleException (rfe=0xffffcc38) at js/src/jit/JitFrames.cpp:791
#4  0xf7fc91e5 in ?? ()
eax	0x0	0
ebx	0x95bdff4	157016052
ecx	0xf7e5588c	-135964532
edx	0x0	0
esi	0xffffc9ac	-13908
edi	0xffffc9b0	-13904
ebp	0xffffc878	4294953080
esp	0xffffc850	4294953040
eip	0x86dc97b <js::ScopeIter::settle()+1387>
=> 0x86dc97b <js::ScopeIter::settle()+1387>:	movl   $0x7b,0x0
   0x86dc985 <js::ScopeIter::settle()+1397>:	call   0x804a990 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Assignee: nobody → shu
The bug here is that I had originally thought all heavyweight functions frames
would read their CallObjects out of the snapshot, but this is apparently not
true and some of them are created only on bailout.
Attachment #8532692 - Flags: review?(jdemooij)
Comment on attachment 8532692 [details] [diff] [review]
Part 2: Correctly rematerialize CallObjects on heavyweight function frames.

Review of attachment 8532692 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/RematerializedFrame.cpp
@@ +76,2 @@
>              return false;
> +        if (frame->scopeChain()) {

Can frame->scopeChain() be null?

::: js/src/jit/RematerializedFrame.h
@@ +109,4 @@
>      bool hasCallObj() const {
> +        return maybeFun() &&
> +               fun()->isHeavyweight() &&
> +               scopeChain()->is<CallObject>();

scopeChain() could be a CallObject of some outer function right? There's also the block case we discussed on IRC (once Ion supports that). I think it'd be nice to add a flag to match BaselineFrame/InterpeterFrame and avoid these issues.
Attachment #8532692 - Flags: review?(jdemooij) → review+
Oops, I forgot to add a has callobj flag. Setting NI for myself here so I can d oit as a followup.
Flags: needinfo?(shu)
https://hg.mozilla.org/mozilla-central/rev/a03085803e4d
https://hg.mozilla.org/mozilla-central/rev/cec0200ec01e
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Flags: needinfo?(shu)
Blocks: 1114757
Fixed for Fx36 by the roll-up in bug 1114757.
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.