Closed
Bug 1126562
Opened 9 years ago
Closed 9 years ago
Assertion failure: !scope->is<ScopeObject>() || (scope->is<DynamicWithObject>() && !scope->as<DynamicWithObject>().isSyntactic()), at vm/Stack.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
3.72 KB,
text/plain
|
Details | |
|
2.08 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
// jsfunfuzz-generated code
setJitCompilerOption("ion.warmup.trigger", 2)
options('strict_mode');
// Randomly chosen test: js/src/jit-test/tests/debug/Object-evalInGlobal-03.js
x = (new Debugger).addDebuggee(newGlobal());
x.evalInGlobalWithBindings('(function(){})', {}).return.call()
asserts js debug shell on m-c changeset 08e41ea36f6d with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !scope->is<ScopeObject>() || (scope->is<DynamicWithObject>() && !scope->as<DynamicWithObject>().isSyntactic()), at vm/Stack.cpp.
Debug configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20150114150659" and the hash "30796eecd360".
The "bad" changeset has the timestamp "20150114151730" and the hash "4acf60209a94".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=30796eecd360&tochange=4acf60209a94
Shu-yu, is bug 963879 a likely regressor?Flags: needinfo?(shu)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x5f486, 0x00000001007f3f79 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`AssertDynamicScopeMatchesStaticScope(cx=<unavailable>, script=<unavailable>, scope=<unavailable>) + 1833 at Stack.cpp:174, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x00000001007f3f79 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`AssertDynamicScopeMatchesStaticScope(cx=<unavailable>, script=<unavailable>, scope=<unavailable>) + 1833 at Stack.cpp:174
frame #1: 0x00000001007f34ab js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::InterpreterFrame::prologue(this=0x0000000102007820, cx=0x0000000101e021d0) + 443 at Stack.cpp:213
frame #2: 0x000000010076923d js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`Interpret(cx=0x0000000101e021d0, state=0x00007fff5fbfdc10) + 1053 at Interpreter.cpp:1508
frame #3: 0x0000000100768e05 js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::RunScript(cx=0x0000000101e021d0, state=0x00007fff5fbfdc10) + 341 at Interpreter.cpp:448
frame #4: 0x000000010075826b js-dbg-opt-64-dm-nsprBuild-darwin-08e41ea36f6d`js::Invoke(cx=0x0000000101e021d0, args=CallArgs at 0x00007fff5fbfdc90, construct=<unavailable>) + 539 at Interpreter.cpp:517
(lldb)
|
||
Comment 2•9 years ago
|
||
Oops, I was setting strictness incorrectly. Non-strict static eval scopes do not have a corresponding runtime scope. Since this bug can erroneously mark strict static eval scopes as non-strict, it tripped the assert matching up the static and runtime scope chains.
Attachment #8555610 -
Flags: review?(jimb)
|
|
||
Updated•9 years ago
|
Flags: needinfo?(shu)
|
||
Updated•9 years ago
|
Attachment #8555610 -
Flags: review?(jimb) → review+
|
|
||
Comment 3•9 years ago
|
||
Thanks not too much to the original reviewer...
|
||
Comment 4•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4f298278601a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•