Closed
Bug 1145781
Opened 10 years ago
Closed 10 years ago
Assertion failure: hasScript(), at js/src/shell/../jsfun.h:322 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox37 | --- | unaffected |
firefox38 | --- | wontfix |
firefox38.0.5 | --- | wontfix |
firefox39 | --- | verified |
firefox40 | --- | verified |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | wontfix |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: decoder, Assigned: shu)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main39+])
Attachments
(2 files)
1.59 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
3.39 KB,
patch
|
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4d2d97b3ba34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
gczeal(2);
var g = newGlobal();
g.eval('function f() { return "from f"; }');
var dbg = new Debugger;
var gw = dbg.makeGlobalObjectReference(g);
var fw = gw.getOwnPropertyDescriptor('f').value;
newGlobal(dbg.g, false);
dbg.addDebuggee(g);
var fenv = fw.environment;
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#0 0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#1 0x000000000046eb4a in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:325
#2 0x00000000006b8c85 in js::GetDebugScopeForFunction (cx=cx@entry=0x1a19ee0, fun=..., fun@entry=...) at js/src/vm/ScopeObject.cpp:2478
#3 0x000000000061e815 in DebuggerObject_getEnvironment (cx=0x1a19ee0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6650
#4 0x0000000000642d92 in js::CallJSNative (cx=0x1a19ee0, native=0x61e600 <DebuggerObject_getEnvironment(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5 0x0000000000631ee3 in js::Invoke (cx=cx@entry=0x1a19ee0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#6 0x00000000006339a3 in js::Invoke (cx=cx@entry=0x1a19ee0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:558
#7 0x00000000006374da in js::InvokeGetterOrSetter (cx=cx@entry=0x1a19ee0, obj=0x7ffff5463160, fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:628
#8 0x000000000069c213 in CallGetter (vp=..., shape=..., receiver=..., cx=0x1a19ee0) at js/src/vm/NativeObject.cpp:1614
#9 GetExistingProperty<(js::AllowGC)1> (cx=0x1a19ee0, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1664
#10 0x000000000069c71a in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x1a19ee0, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1878
#11 0x000000000069cbe0 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1912
#12 0x00000000004c26e0 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1434
#13 0x000000000062580f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x1a19ee0) at js/src/vm/Interpreter.cpp:260
#14 Interpret (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:2417
#15 0x0000000000631c48 in js::RunScript (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:452
#16 0x0000000000638b49 in js::ExecuteKernel (cx=cx@entry=0x1a19ee0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:655
#17 0x000000000063acd0 in js::Execute (cx=cx@entry=0x1a19ee0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:695
#18 0x0000000000a17717 in ExecuteScript (cx=cx@entry=0x1a19ee0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4091
#19 0x0000000000a1784b in JS_ExecuteScript (cx=cx@entry=0x1a19ee0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4113
#20 0x0000000000406887 in RunFile (compileOnly=false, file=0x1a8a5a0, filename=0x7fffffffdf72 "min.js", cx=0x1a19ee0) at js/src/shell/js.cpp:466
#21 Process (cx=cx@entry=0x1a19ee0, filename=0x7fffffffdf72 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#22 0x0000000000453b22 in ProcessArgs (op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:5738
#23 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:6004
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6346
rax 0x0 0
rbx 0x1a19ee0 27369184
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffc120 140737488339232
rsp 0x7fffffffc120 140737488339232
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffbee0 140737488338656
r11 0x7ffff6c27960 140737333328224
r12 0x7fffffffc280 140737488339584
r13 0x7fffffffc150 140737488339280
r14 0x19d5380 27087744
r15 0x7fffffffc270 140737488339568
rip 0x4056d8 <JSFunction::nonLazyScript() const+28>
=> 0x4056d8 <JSFunction::nonLazyScript() const+28>: movl $0x142,0x0
0x4056e3 <JSFunction::nonLazyScript() const+39>: callq 0x4046a0 <abort@plt>
Marking s-s because gczeal is involved. Might only affect the debugger though.
Updated•10 years ago
|
Keywords: sec-moderate
Reporter | ||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c
user: Shu-yu Guo
date: Wed Jan 14 22:57:35 2015 -0800
summary: Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke)
This iteration took 192.815 seconds to run.
Assignee | ||
Comment 3•10 years ago
|
||
Attachment #8583321 -
Flags: review?(jimb)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → shu
Flags: needinfo?(shu)
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Comment 4•10 years ago
|
||
Comment on attachment 8583321 [details] [diff] [review]
Unlazify functions when getting their debug scopes.
Review of attachment 8583321 [details] [diff] [review]:
-----------------------------------------------------------------
Apparently we now re-lazify functions. I can't readily find any changesets in Debugger.cpp that seem like they would address this. Are there any other uses of nonLazyScript that should be changed?
Attachment #8583321 -
Flags: review?(jimb) → review+
Assignee | ||
Comment 5•10 years ago
|
||
(In reply to Jim Blandy :jimb from comment #4)
> Comment on attachment 8583321 [details] [diff] [review]
> Unlazify functions when getting their debug scopes.
>
> Review of attachment 8583321 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Apparently we now re-lazify functions. I can't readily find any changesets
> in Debugger.cpp that seem like they would address this. Are there any other
> uses of nonLazyScript that should be changed?
The Debugger disables relazification so long as a compartment->isDebuggee(). Note that this test case didn't addDebuggee until after the GC, and that adding a compartment as a debuggee does not eagerly unlazifies (only findScripts does).
Backed out for windows bc1 bustage https://hg.mozilla.org/integration/mozilla-inbound/rev/dbb9ef6b8a5c
https://treeherder.mozilla.org/logviewer.html#?job_id=8256219&repo=mozilla-inbound
Flags: needinfo?(shu)
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d682b4e2df86
https://hg.mozilla.org/mozilla-central/rev/2525c3ff6145
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox40:
--- → fixed
Flags: needinfo?(shu) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Reporter | ||
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•10 years ago
|
status-firefox37:
--- → unaffected
status-firefox38:
--- → affected
status-firefox-esr31:
--- → unaffected
Comment 9•10 years ago
|
||
We should probably get this on Fx39 still, no? Not sure about ESR38, though (typically no for sec-moderates).
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox38.0.5:
--- → wontfix
status-firefox-esr38:
--- → affected
Flags: needinfo?(shu)
Assignee | ||
Comment 10•10 years ago
|
||
Assignee | ||
Comment 11•10 years ago
|
||
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (
Approval Request Comment
[Feature/regressing bug #]: Unsure
[User impact if declined]: Crashes when using JS debugger.
[Describe test coverage new/current, TreeHerder]: On m-c and aurora.
[Risks and why]: Low, no user behavior change; bug fix.
[String/UUID change made/needed]: None.
Flags: needinfo?(shu)
Attachment #8611524 -
Flags: approval-mozilla-beta?
Comment 12•10 years ago
|
||
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (
Has tests, been on m-c and m-a a while, fixes regression in 39.
Approved for uplift to beta
Attachment #8611524 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 13•10 years ago
|
||
Flags: in-testsuite? → in-testsuite+
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Comment 14•9 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx39
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main39+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•