Closed
Bug 1111300
Opened 11 years ago
Closed 11 years ago
Assertion failure: rematFrame->numActualArgs() == frame->numActualArgs(), at js/src/jit/BaselineBailouts.cpp:1639 or Crash [@ (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla37
People
(Reporter: decoder, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
1.69 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-eager):
var evalInFrame = (function(global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
var frame = dbg.getNewestFrame().older;
for (var i = 0; i < upCount; i++) {
frame = frame.older;
}
var completion = frame.eval(code);
};
})(this);
function i(save) {
evalInFrame(1, "a.push(z)", save);
}
function h() {
var z = 5;
evalInFrame(0, "a.push(z)");
evalInFrame(0, "i(true)", true);
}
function g() {
h();
}
function f() {
g();
}
function a(code) {
f()
}
a()
a()
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=0x16f1ad0, debugScope=(js::DebugScopeObject * const) 0x7ffff695e1c0 [object Proxy], scope=..., id=$jsid("z"), action=(anonymous namespace)::DebugScopeProxy::GET, vp=..., accessResult=0x7fffffff85a0, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1365
1365 vp.set(frame.unaliasedLocal(i));
#0 (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=0x16f1ad0, debugScope=(js::DebugScopeObject * const) 0x7ffff695e1c0 [object Proxy], scope=..., id=$jsid("z"), action=(anonymous namespace)::DebugScopeProxy::GET, vp=..., accessResult=0x7fffffff85a0, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1365
#1 0x00000000008f395a in (anonymous namespace)::DebugScopeProxy::get (this=<optimized out>, cx=0x16f1ad0, proxy=..., receiver=..., id=$jsid("z"), vp=JSVAL_VOID) at js/src/vm/ScopeObject.cpp:1605
#2 0x0000000000841357 in js::Proxy::get (cx=0x16f1ad0, proxy=(JSObject * const) 0x7ffff695e1c0 [object Proxy], receiver=(JSObject * const) 0x7ffff695e1c0 [object Proxy], id=$jsid("z"), vp=JSVAL_VOID) at js/src/proxy/Proxy.cpp:299
#3 0x000000000068cf42 in getGeneric (vp=JSVAL_VOID, id=$jsid("z"), receiver=..., obj=..., cx=0x16f1ad0) at js/src/vm/NativeObject.h:1404
#4 js::FetchName<false> (cx=0x16f1ad0, obj=..., obj2=..., name="z", shape=..., vp=...) at js/src/vm/Interpreter-inl.h:243
#5 0x0000000000897c35 in NameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:303
#6 Interpret (cx=0x16f1ad0, state=...) at js/src/vm/Interpreter.cpp:2649
#7 0x000000000089c63b in js::RunScript (cx=0x16f1ad0, state=...) at js/src/vm/Interpreter.cpp:432
#8 0x000000000089c8c2 in js::ExecuteKernel (cx=0x16f1ad0, script=0x7ffff6961bf0, scopeChainArg=(JSObject &) @0x7ffff695e1c0 [object Proxy], thisv=..., type=<optimized out>, evalInFrame=..., result=0x7fffffff9310) at js/src/vm/Interpreter.cpp:641
#9 0x000000000089cc52 in js::EvaluateInEnv (cx=0x16f1ad0, env=(JSObject * const) 0x7ffff695e1c0 [object Proxy], thisv=$jsval((JSObject *) 0x7ffff695d060 [object global] delegate), frame=..., chars=..., filename=0xafa229 "debugger eval code", lineno=1, rval=JSVAL_VOID) at js/src/vm/Debugger.cpp:5650
#10 0x00000000008aba6b in DebuggerGenericEval (cx=0x16f1ad0, fullMethodName=<optimized out>, code=..., evalWithBindings=EvalWithDefaultBindings, bindings=..., options=<error reading variable: Cannot access memory at address 0x0>, vp=$jsval((JSObject *) 0x7ffff6983780 [object Function "eval"]), dbg=0x17dfb70, scope=0x0, iter=0x7fffffff9508) at js/src/vm/Debugger.cpp:5787
#11 0x00000000008ac68c in DebuggerFrame_eval (cx=0x16f1ad0, argc=1, vp=0x7fffffff9f88) at js/src/vm/Debugger.cpp:5801
#12 0x000000000089cf42 in CallJSNative (args=..., native=0x8ac4f0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, cx=0x16f1ad0) at js/src/jscntxtinlines.h:231
#13 js::Invoke (cx=0x16f1ad0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:482
#14 0x000000000089dd8b in js::Invoke (cx=0x16f1ad0, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:538
#15 0x0000000000835f89 in js::DirectProxyHandler::call (this=<optimized out>, cx=<optimized out>, proxy=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:70
#16 0x0000000000845311 in js::CrossCompartmentWrapper::call (this=0x16bb4e0, cx=0x16f1ad0, wrapper=(JSObject * const) 0x7ffff695e120 [object Proxy], args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:296
#17 0x0000000000842b72 in call (args=..., proxy=(JSObject * const) 0x7ffff695e120 [object Proxy], cx=0x16f1ad0) at js/src/proxy/Proxy.cpp:436
#18 js::proxy_Call (cx=0x16f1ad0, argc=1, vp=0x7fffffffa768) at js/src/proxy/Proxy.cpp:818
#19 0x000000000089cf42 in CallJSNative (args=..., native=0x842ab0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, cx=0x16f1ad0) at js/src/jscntxtinlines.h:231
#20 js::Invoke (cx=0x16f1ad0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:482
#21 0x000000000089dd8b in js::Invoke (cx=0x16f1ad0, thisv=..., fval=..., argc=1, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:538
#22 0x00000000005e015c in js::jit::DoCallFallback (cx=0x16f1ad0, frame=0x7fffffffab60, stub_=0x17e3890, argc=1, vp=0x7fffffffaaf8, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:9428
[...]
#48 0x0000000000000000 in ?? ()
rax 0x15ad78c38 5819042872
rbx 0x16f1ad0 24058576
rcx 0x7ffff6961570 140737330419056
rdx 0x2b2b2b2b 724249387
rsi 0x0 0
rdi 0x7fffffff84e0 140737488323808
rbp 0x17e7b30 25066288
rsp 0x7fffffff8480 140737488323712
r8 0x17df080 25030784
r9 0x7fffffff8950 140737488324944
r10 0x0 0
r11 0x1c 28
r12 0x7ffff6900b98 140737330023320
r13 0x0 0
r14 0x1 1
r15 0x0 0
rip 0x8f35a3 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, jsid, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+1635>
=> 0x8f35a3 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, jsid, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+1635>: mov (%rax),%rax
0x8f35a6 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, jsid, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+1638>: mov %rax,(%r9)
|
Assignee | |
Comment 1•11 years ago
|
||
The bug is that numActualArgs was used both to compute how many argument slots
we need to allocate for and the actual number of args.
Attachment #8536848 -
Flags: review?(efaustbmo)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → shu
|
||
Comment 2•11 years ago
|
||
Comment on attachment 8536848 [details] [diff] [review]
Fix stupid bug miscomputing the number of actual args in RematerializedFrames.
Review of attachment 8536848 [details] [diff] [review]:
-----------------------------------------------------------------
Yep. That's a stupid bug alright. r=me.
Attachment #8536848 -
Flags: review?(efaustbmo) → review+
|
||
Comment 3•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
|
||
Comment 4•11 years ago
|
||
Fixed for Fx36 by the roll-up in bug 1114757.
You need to log in
before you can comment on or make changes to this bug.
Description
•