Closed Bug 1145781 Opened 5 years ago Closed 5 years ago

Assertion failure: hasScript(), at js/src/shell/../jsfun.h:322 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla40
Tracking Status
firefox37 --- unaffected
firefox38 --- wontfix
firefox38.0.5 --- wontfix
firefox39 --- verified
firefox40 --- verified
firefox-esr31 --- unaffected
firefox-esr38 --- wontfix
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update][adv-main39+])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 4d2d97b3ba34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

gczeal(2);
var g = newGlobal();
g.eval('function f() { return "from f"; }');
var dbg = new Debugger;
var gw = dbg.makeGlobalObjectReference(g);
var fw = gw.getOwnPropertyDescriptor('f').value;
newGlobal(dbg.g, false);
dbg.addDebuggee(g);
var fenv = fw.environment;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#0  0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#1  0x000000000046eb4a in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:325
#2  0x00000000006b8c85 in js::GetDebugScopeForFunction (cx=cx@entry=0x1a19ee0, fun=..., fun@entry=...) at js/src/vm/ScopeObject.cpp:2478
#3  0x000000000061e815 in DebuggerObject_getEnvironment (cx=0x1a19ee0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6650
#4  0x0000000000642d92 in js::CallJSNative (cx=0x1a19ee0, native=0x61e600 <DebuggerObject_getEnvironment(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x0000000000631ee3 in js::Invoke (cx=cx@entry=0x1a19ee0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#6  0x00000000006339a3 in js::Invoke (cx=cx@entry=0x1a19ee0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:558
#7  0x00000000006374da in js::InvokeGetterOrSetter (cx=cx@entry=0x1a19ee0, obj=0x7ffff5463160, fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:628
#8  0x000000000069c213 in CallGetter (vp=..., shape=..., receiver=..., cx=0x1a19ee0) at js/src/vm/NativeObject.cpp:1614
#9  GetExistingProperty<(js::AllowGC)1> (cx=0x1a19ee0, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1664
#10 0x000000000069c71a in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x1a19ee0, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1878
#11 0x000000000069cbe0 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1912
#12 0x00000000004c26e0 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1434
#13 0x000000000062580f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x1a19ee0) at js/src/vm/Interpreter.cpp:260
#14 Interpret (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:2417
#15 0x0000000000631c48 in js::RunScript (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:452
#16 0x0000000000638b49 in js::ExecuteKernel (cx=cx@entry=0x1a19ee0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:655
#17 0x000000000063acd0 in js::Execute (cx=cx@entry=0x1a19ee0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:695
#18 0x0000000000a17717 in ExecuteScript (cx=cx@entry=0x1a19ee0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4091
#19 0x0000000000a1784b in JS_ExecuteScript (cx=cx@entry=0x1a19ee0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4113
#20 0x0000000000406887 in RunFile (compileOnly=false, file=0x1a8a5a0, filename=0x7fffffffdf72 "min.js", cx=0x1a19ee0) at js/src/shell/js.cpp:466
#21 Process (cx=cx@entry=0x1a19ee0, filename=0x7fffffffdf72 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#22 0x0000000000453b22 in ProcessArgs (op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:5738
#23 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:6004
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6346
rax	0x0	0
rbx	0x1a19ee0	27369184
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc120	140737488339232
rsp	0x7fffffffc120	140737488339232
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbee0	140737488338656
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffc280	140737488339584
r13	0x7fffffffc150	140737488339280
r14	0x19d5380	27087744
r15	0x7fffffffc270	140737488339568
rip	0x4056d8 <JSFunction::nonLazyScript() const+28>
=> 0x4056d8 <JSFunction::nonLazyScript() const+28>:	movl   $0x142,0x0
   0x4056e3 <JSFunction::nonLazyScript() const+39>:	callq  0x4046a0 <abort@plt>


Marking s-s because gczeal is involved. Might only affect the debugger though.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c
user:        Shu-yu Guo
date:        Wed Jan 14 22:57:35 2015 -0800
summary:     Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke)

This iteration took 192.815 seconds to run.
Needinfo from shu based on comment 1.
Flags: needinfo?(shu)
Assignee: nobody → shu
Flags: needinfo?(shu)
Status: NEW → ASSIGNED
Comment on attachment 8583321 [details] [diff] [review]
Unlazify functions when getting their debug scopes.

Review of attachment 8583321 [details] [diff] [review]:
-----------------------------------------------------------------

Apparently we now re-lazify functions. I can't readily find any changesets in Debugger.cpp that seem like they would address this. Are there any other uses of nonLazyScript that should be changed?
Attachment #8583321 - Flags: review?(jimb) → review+
(In reply to Jim Blandy :jimb from comment #4)
> Comment on attachment 8583321 [details] [diff] [review]
> Unlazify functions when getting their debug scopes.
> 
> Review of attachment 8583321 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Apparently we now re-lazify functions. I can't readily find any changesets
> in Debugger.cpp that seem like they would address this. Are there any other
> uses of nonLazyScript that should be changed?

The Debugger disables relazification so long as a compartment->isDebuggee(). Note that this test case didn't addDebuggee until after the GC, and that adding a compartment as a debuggee does not eagerly unlazifies (only findScripts does).
https://hg.mozilla.org/mozilla-central/rev/d682b4e2df86
https://hg.mozilla.org/mozilla-central/rev/2525c3ff6145
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(shu) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
We should probably get this on Fx39 still, no? Not sure about ESR38, though (typically no for sec-moderates).
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (

Approval Request Comment
[Feature/regressing bug #]: Unsure
[User impact if declined]: Crashes when using JS debugger.
[Describe test coverage new/current, TreeHerder]: On m-c and aurora.
[Risks and why]: Low, no user behavior change; bug fix.
[String/UUID change made/needed]: None.
Flags: needinfo?(shu)
Attachment #8611524 - Flags: approval-mozilla-beta?
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (

Has tests, been on m-c and m-a a while, fixes regression in 39.
Approved for uplift to beta
Attachment #8611524 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
JSBugMon: This bug has been automatically verified fixed on Fx39
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main39+]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.