Closed
Bug 1118865
Opened 9 years ago
Closed 9 years ago
Assertion failure: isFunctionScope(scope) && !scope.as<CallObject>().callee().nonLazyScript()->needsArgsObj(), at js/src/vm/ScopeObject.cpp:1507
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
People
(Reporter: decoder, Assigned: shu)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.73 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 33781a3a5201 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-debug, run with --fuzzing-safe --no-threads): var evalInFrame = (function (global) { var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); return function evalInFrame(upCount, code) { dbg.addDebuggee(global); var frame = dbg.getNewestFrame().older; frame = frame.older; var completion = frame.eval(code); }; })(this); function h() { evalInFrame(1, "a.push(0)"); } function f() { var a = arguments; h(a["1".concat("")], 1); } f(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0873f4b2 in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=(js::ScopeObject &) @0xf6900070 [object Call] delegate, v=..., cx=<optimized out>) at js/src/vm/ScopeObject.cpp:1506 1506 MOZ_ASSERT_IF(isMagic, isFunctionScope(scope) && #0 0x0873f4b2 in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=(js::ScopeObject &) @0xf6900070 [object Call] delegate, v=..., cx=<optimized out>) at js/src/vm/ScopeObject.cpp:1506 #1 0x087764d1 in (anonymous namespace)::DebugScopeProxy::get (this=0x963cbdc, cx=0x967d518, proxy=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/ScopeObject.cpp:1643 #2 0x086741f7 in js::Proxy::get (cx=0x967d518, proxy=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/proxy/Proxy.cpp:299 #3 0x080bb9d3 in JSObject::getGeneric (cx=0x967d518, obj=(JSObject * const) 0xf68480a0 [object Proxy], receiver=(JSObject * const) 0xf68480a0 [object Proxy], id=$jsid("a"), vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/NativeObject.h:1403 #4 0x08410ad0 in js::FetchName<false> (cx=0x967d518, obj=(JSObject * const) 0xf68480a0 [object Proxy], obj2=(JSObject * const) 0xf68480a0 [object Proxy], name="a", shape=0x1, vp=$jsval(-nan(0xfff8400000008))) at js/src/vm/Interpreter-inl.h:243 #5 0x086eaa44 in NameOperation (vp=$jsval(-nan(0xfff8400000008)), pc=0x9745c71 ";", fp=<optimized out>, cx=0x967d518) at js/src/vm/Interpreter.cpp:303 #6 Interpret (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:2672 #7 0x086f0db2 in js::RunScript (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:452 #8 0x086f10f5 in js::ExecuteKernel (cx=0x967d518, script=0xf684b420, scopeChainArg=(JSObject &) @0xf68480a0 [object Proxy], thisv=..., type=js::EXECUTE_DEBUG, evalInFrame=..., result=0xffffb600) at js/src/vm/Interpreter.cpp:661 #9 0x086f1723 in js::EvaluateInEnv (cx=0x967d518, env=(JSObject * const) 0xf68480a0 [object Proxy], thisv=$jsval(-nan(0xfff88f6847040)), frame=..., chars=..., filename=0x89d6495 "debugger eval code", lineno=1, rval=$jsval(-nan(0xfff8200000000))) at js/src/vm/Debugger.cpp:5928 #10 0x08702762 in DebuggerGenericEval (cx=0x967d518, fullMethodName=<optimized out>, code=..., evalWithBindings=EvalWithDefaultBindings, bindings=$jsval(-nan(0xfff8200000000)), options=$jsval(-nan(0xfff8200000000)), vp=$jsval(-nan(0xfff88f685ec60)), dbg=0x9730a10, scope=0x0, iter=0xffffb7e4) at js/src/vm/Debugger.cpp:6065 #11 0x08703378 in DebuggerFrame_eval (cx=0x967d518, argc=1, vp=0xffffbdf4) at js/src/vm/Debugger.cpp:6079 #12 0x08712be3 in js::CallJSNative (cx=0x967d518, native=0x8703070 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231 #13 0x086f19a4 in js::Invoke (cx=0x967d518, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502 #14 0x086f2dac in js::Invoke (cx=0x967d518, thisv=..., fval=..., argc=1, argv=0x97130b8, rval=$jsval(-nan(0xfff88f685ec60))) at js/src/vm/Interpreter.cpp:558 #15 0x0867699c in js::DirectProxyHandler::call (this=0x963cb78, cx=0x967d518, proxy=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/DirectProxyHandler.cpp:79 #16 0x08677f30 in js::CrossCompartmentWrapper::call (this=0x963cb78, cx=0x967d518, wrapper=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:286 #17 0x08675360 in js::Proxy::call (cx=0x967d518, proxy=(JSObject * const) 0xf6848090 [object Proxy], args=...) at js/src/proxy/Proxy.cpp:401 #18 0x0867544a in js::proxy_Call (cx=0x967d518, argc=1, vp=0x97130a8) at js/src/proxy/Proxy.cpp:792 #19 0x08712be3 in js::CallJSNative (cx=0x967d518, native=0x86753d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231 #20 0x086f1cbc in js::Invoke (cx=0x967d518, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495 #21 0x086e3820 in Interpret (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:2560 #22 0x086f0db2 in js::RunScript (cx=0x967d518, state=...) at js/src/vm/Interpreter.cpp:452 #23 0x086f10f5 in js::ExecuteKernel (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, thisv=..., type=js::EXECUTE_GLOBAL, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:661 #24 0x086f14ad in js::Execute (cx=0x967d518, script=0xf684b128, scopeChainArg=(JSObject &) @0xf6847040 [object global] delegate, rval=0x0) at js/src/vm/Interpreter.cpp:698 #25 0x0855f021 in ExecuteScript (cx=0x967d518, obj=(JSObject * const) 0xf6847040 [object global] delegate, scriptArg=0xf684b128, rval=0x0) at js/src/jsapi.cpp:4324 #26 0x0805bc99 in RunFile (compileOnly=false, file=0x9729e78, filename=0xffffd0e0 "min.js", obj=..., cx=0x967d518) at js/src/shell/js.cpp:450 #27 Process (cx=0x967d518, obj_=<optimized out>, filename=0xffffd0e0 "min.js", forceTTY=false) at js/src/shell/js.cpp:583 #28 0x08068f34 in ProcessArgs (op=0xffffcca8, obj_=<optimized out>, cx=0x967d518) at js/src/shell/js.cpp:5320 #29 Shell (op=0xffffcca8, cx=0x967d518, envp=<optimized out>) at js/src/shell/js.cpp:5559 #30 main (argc=0, argv=0x0, envp=0x0) at js/src/shell/js.cpp:5898 eax 0x0 0 ebx 0x963bff4 157532148 ecx 0xf7e618ac -135915348 edx 0x0 0 esi 0xf6900070 -158334864 edi 0x9608b00 157321984 ebp 0xffffabf8 4294945784 esp 0xffffabd0 4294945744 eip 0x873f4b2 <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+98> => 0x873f4b2 <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+98>: movl $0x7b,0x0 0x873f4bc <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue)+108>: call 0x804a9d0 <abort@plt>
Reporter | ||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cb3487d8700b user: Nicolas B. Pierron date: Thu Jul 24 04:30:50 2014 -0700 summary: Bug 1039607 - Scalar Replacement support dynamic slots. r=h4writer This iteration took 199.509 seconds to run.
Reporter | ||
Comment 2•9 years ago
|
||
Needinfo from nbp based on comment 1.
Flags: needinfo?(nicolas.b.pierron)
Comment 3•9 years ago
|
||
So far, breaking on ObjectMemoryView and ArrayMemoryView constructor does not seems to have any hit, so I do not see how this could be related to the current patch.
Comment 4•9 years ago
|
||
I cannot get any failure when Ion is disabled. --ion-eager is useful to get a well formatted output for iongraph. I reduced the test case, and I can reproduce with --ion-offthread-compile=off --ion-eager --ion-scalar-replacement=off , var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); dbg.addDebuggee(this); function f() { var a = arguments; a[1]; dbg.getNewestFrame().eval("a"); } f(); Running git bisect on my own, highlights the following commit: 4b43078ae46c827ff1edc7b9fe55a592d42795af is the first bad commit commit 4b43078ae46c827ff1edc7b9fe55a592d42795af (https://hg.mozilla.org/mozilla-central/rev/fe70a6c9a374) Author: Shu-yu Guo <shu@rfrn.org> Date: Mon Dec 15 18:21:09 2014 -0800 Bug 1109964 - Recover missing arguments in DebugScopeProxy when the optimized arguments comes from a non-'arguments' slot. (r=luke) Which looks more likely to me as it adds a similar test case as the one above.
Flags: needinfo?(nicolas.b.pierron) → needinfo?(shu)
Assignee | ||
Comment 5•9 years ago
|
||
Oops, the assertion was too strict. Ion can emit OPTIMIZED_ARGUMENTS even when the script !needsArgsObj(), such as in IonBuilder.cpp:877.
Attachment #8584902 -
Flags: review?(nicolas.b.pierron)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Comment 6•9 years ago
|
||
Comment on attachment 8584902 [details] [diff] [review] Relax assertion in DebugScopeProxy::isMagicMissingArgumentsValue. Review of attachment 8584902 [details] [diff] [review]: ----------------------------------------------------------------- Ok, I am not an expert of this code, but I see that isMagicMissingArgumentsValue is used as a guard before calling CreateMissingArguments, which call createUnexpected which I know is handling properly the case where Ion does not have an argument object. Also createUnexpected will cause an invalidation, but it should be handled properly by the LiveScope, if I understand correctly (and I would expect such failure to have already appeared in fuzz bugs) Sounds good to me.
Attachment #8584902 -
Flags: review?(nicolas.b.pierron) → review+
Backed out for windows bc1 bustage https://hg.mozilla.org/integration/mozilla-inbound/rev/40f56ea6598a https://treeherder.mozilla.org/logviewer.html#?job_id=8256219&repo=mozilla-inbound
Flags: needinfo?(shu)
Comment 8•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5d53f0949d96
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(shu)
You need to log in
before you can comment on or make changes to this bug.
Description
•