Closed Bug 1145781 Opened 10 years ago Closed 10 years ago

Assertion failure: hasScript(), at js/src/shell/../jsfun.h:322 with Debugger

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla40
Tracking Status
firefox37 --- unaffected
firefox38 --- wontfix
firefox38.0.5 --- wontfix
firefox39 --- verified
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- wontfix
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: decoder, Assigned: shu)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main39+])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4d2d97b3ba34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): gczeal(2); var g = newGlobal(); g.eval('function f() { return "from f"; }'); var dbg = new Debugger; var gw = dbg.makeGlobalObjectReference(g); var fw = gw.getOwnPropertyDescriptor('f').value; newGlobal(dbg.g, false); dbg.addDebuggee(g); var fenv = fw.environment; Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322 #0 0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322 #1 0x000000000046eb4a in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:325 #2 0x00000000006b8c85 in js::GetDebugScopeForFunction (cx=cx@entry=0x1a19ee0, fun=..., fun@entry=...) at js/src/vm/ScopeObject.cpp:2478 #3 0x000000000061e815 in DebuggerObject_getEnvironment (cx=0x1a19ee0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6650 #4 0x0000000000642d92 in js::CallJSNative (cx=0x1a19ee0, native=0x61e600 <DebuggerObject_getEnvironment(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #5 0x0000000000631ee3 in js::Invoke (cx=cx@entry=0x1a19ee0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502 #6 0x00000000006339a3 in js::Invoke (cx=cx@entry=0x1a19ee0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:558 #7 0x00000000006374da in js::InvokeGetterOrSetter (cx=cx@entry=0x1a19ee0, obj=0x7ffff5463160, fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:628 #8 0x000000000069c213 in CallGetter (vp=..., shape=..., receiver=..., cx=0x1a19ee0) at js/src/vm/NativeObject.cpp:1614 #9 GetExistingProperty<(js::AllowGC)1> (cx=0x1a19ee0, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1664 #10 0x000000000069c71a in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x1a19ee0, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1878 #11 0x000000000069cbe0 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1912 #12 0x00000000004c26e0 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1434 #13 0x000000000062580f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x1a19ee0) at js/src/vm/Interpreter.cpp:260 #14 Interpret (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:2417 #15 0x0000000000631c48 in js::RunScript (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:452 #16 0x0000000000638b49 in js::ExecuteKernel (cx=cx@entry=0x1a19ee0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:655 #17 0x000000000063acd0 in js::Execute (cx=cx@entry=0x1a19ee0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:695 #18 0x0000000000a17717 in ExecuteScript (cx=cx@entry=0x1a19ee0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4091 #19 0x0000000000a1784b in JS_ExecuteScript (cx=cx@entry=0x1a19ee0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4113 #20 0x0000000000406887 in RunFile (compileOnly=false, file=0x1a8a5a0, filename=0x7fffffffdf72 "min.js", cx=0x1a19ee0) at js/src/shell/js.cpp:466 #21 Process (cx=cx@entry=0x1a19ee0, filename=0x7fffffffdf72 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597 #22 0x0000000000453b22 in ProcessArgs (op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:5738 #23 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:6004 #24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6346 rax 0x0 0 rbx 0x1a19ee0 27369184 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc120 140737488339232 rsp 0x7fffffffc120 140737488339232 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffbee0 140737488338656 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffffc280 140737488339584 r13 0x7fffffffc150 140737488339280 r14 0x19d5380 27087744 r15 0x7fffffffc270 140737488339568 rip 0x4056d8 <JSFunction::nonLazyScript() const+28> => 0x4056d8 <JSFunction::nonLazyScript() const+28>: movl $0x142,0x0 0x4056e3 <JSFunction::nonLazyScript() const+39>: callq 0x4046a0 <abort@plt> Marking s-s because gczeal is involved. Might only affect the debugger though.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c user: Shu-yu Guo date: Wed Jan 14 22:57:35 2015 -0800 summary: Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke) This iteration took 192.815 seconds to run.
Needinfo from shu based on comment 1.
Flags: needinfo?(shu)
Assignee: nobody → shu
Flags: needinfo?(shu)
Status: NEW → ASSIGNED
Comment on attachment 8583321 [details] [diff] [review] Unlazify functions when getting their debug scopes. Review of attachment 8583321 [details] [diff] [review]: ----------------------------------------------------------------- Apparently we now re-lazify functions. I can't readily find any changesets in Debugger.cpp that seem like they would address this. Are there any other uses of nonLazyScript that should be changed?
Attachment #8583321 - Flags: review?(jimb) → review+
(In reply to Jim Blandy :jimb from comment #4) > Comment on attachment 8583321 [details] [diff] [review] > Unlazify functions when getting their debug scopes. > > Review of attachment 8583321 [details] [diff] [review]: > ----------------------------------------------------------------- > > Apparently we now re-lazify functions. I can't readily find any changesets > in Debugger.cpp that seem like they would address this. Are there any other > uses of nonLazyScript that should be changed? The Debugger disables relazification so long as a compartment->isDebuggee(). Note that this test case didn't addDebuggee until after the GC, and that adding a compartment as a debuggee does not eagerly unlazifies (only findScripts does).
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shu) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
We should probably get this on Fx39 still, no? Not sure about ESR38, though (typically no for sec-moderates).
Comment on attachment 8611524 [details] [diff] [review] For uplift. Unlazify functions when getting their debug scopes. ( Approval Request Comment [Feature/regressing bug #]: Unsure [User impact if declined]: Crashes when using JS debugger. [Describe test coverage new/current, TreeHerder]: On m-c and aurora. [Risks and why]: Low, no user behavior change; bug fix. [String/UUID change made/needed]: None.
Flags: needinfo?(shu)
Attachment #8611524 - Flags: approval-mozilla-beta?
Comment on attachment 8611524 [details] [diff] [review] For uplift. Unlazify functions when getting their debug scopes. ( Has tests, been on m-c and m-a a while, fixes regression in 39. Approved for uplift to beta
Attachment #8611524 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
JSBugMon: This bug has been automatically verified fixed on Fx39
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main39+]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: