1143286 - Assertion failure: !enclosing->is<ScopeObject>(), at vm/ScopeObject.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

// Randomly chosen test: js/src/jit-test/tests/debug/Frame-evalWithBindings-09.js
options('strict_mode')
g = newGlobal()
dbg = Debugger(g)
dbg.onDebuggerStatement = function(frame) {
  frame.evalWithBindings("n", {})
}
dbg.onExceptionUnwind = function(frame) {
  frame.eval("")
}
g.eval("debugger")

asserts js debug shell on m-c changeset 2795a48dfebe with --fuzzing-safe --no-threads --ion-eager at Assertion failure: !enclosing->is<ScopeObject>(), at vm/ScopeObject.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 2795a48dfebe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c
user:        Shu-yu Guo
date:        Wed Jan 14 22:57:35 2015 -0800
summary:     Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke)

Shu-yu, is bug 963879 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0xd4f9, 0x00000001002c60b8 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::DebugScopeObject::create(cx=<unavailable>, scope=<unavailable>, enclosing=<unavailable>) + 808 at ScopeObject.cpp:1739, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001002c60b8 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::DebugScopeObject::create(cx=<unavailable>, scope=<unavailable>, enclosing=<unavailable>) + 808 at ScopeObject.cpp:1739
    frame #1: 0x00000001002cc0b4 js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`GetDebugScope(JSContext*, js::ScopeIter const&) [inlined] GetDebugScopeForScope(si=<unavailable>) + 406 at ScopeObject.cpp:2359
    frame #2: 0x00000001002cbf1e js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`GetDebugScope(cx=0x0000000101f01d30, si=<unavailable>) + 94 at ScopeObject.cpp:2471
    frame #3: 0x00000001002cd03a js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`js::GetDebugScopeForFrame(cx=0x0000000101f01d30, pc=0x0000000104b18349, frame=<unavailable>) + 202 at ScopeObject.cpp:2498
    frame #4: 0x0000000100239d1f js-dbg-64-dm-nsprBuild-darwin-2795a48dfebe`DebuggerGenericEval(cx=0x0000000101f01d30, fullMethodName=<unavailable>, code=<unavailable>, evalWithBindings=EvalWithDefaultBindings, dbg=0x0000000000000002, scope=JS::HandleObject at 0x00007fff5fbf5ad8, iter=0x0000000104b11430, bindings=<unavailable>, options=<unavailable>, vp=<unavailable>) + 2239 at Debugger.cpp:6144
(lldb)

Comment 2

[Shu-yu Guo [:shu]]

Attachment: Fix terminating scope assertion in DebugScopeObject.

Broke with bz's recent changes to get get rid of parent everywhere. See bug
1141905.

Comment 3

[Boris Zbarsky [:bzbarsky]]

We should add a testcase here too, right?

Comment 4

[Shu-yu Guo [:shu]]

(In reply to Not doing reviews right now from comment #3)
> We should add a testcase here too, right?

Yeah, I'll commit the test.

Comment 6

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/e9de10ff67c5