Assertion failure: index >= size_t(parser.stackDepthAtPC(current)), at js/src/jsopcode.cpp:1745

RESOLVED FIXED in Firefox 40



4 years ago
4 years ago


(Reporter: decoder, Unassigned)


(Blocks: 1 bug, {assertion, regression, testcase})

assertion, regression, testcase

Firefox Tracking Flags

(firefox39 affected, firefox40 fixed)


(Whiteboard: [jsbugmon:update])


(1 attachment)



4 years ago
The following testcase crashes on mozilla-central revision 37d3dcbf23a9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function () {
        dbg = new Debugger(debuggeeGlobal);
        dbg.onExceptionUnwind = Map;
} + ")();");
throw new Error("oops");


Program received signal SIGSEGV, Segmentation fault.
0x0000000000b029f2 in FindStartPC (valuepc=<synthetic pointer>, v=..., skipStackHits=0, spindex=<optimized out>, iter=..., cx=0x7ffff691b4e0) at js/src/jsopcode.cpp:1745
#0  0x0000000000b029f2 in FindStartPC (valuepc=<synthetic pointer>, v=..., skipStackHits=0, spindex=<optimized out>, iter=..., cx=0x7ffff691b4e0) at js/src/jsopcode.cpp:1745
#1  DecompileExpressionFromStack (cx=cx@entry=0x7ffff691b4e0, spindex=spindex@entry=1, skipStackHits=skipStackHits@entry=0, v=..., v@entry=..., res=res@entry=0x7fffffffb590) at js/src/jsopcode.cpp:1808
#2  0x0000000000b02a5c in js::DecompileValueGenerator (cx=cx@entry=0x7ffff691b4e0, spindex=spindex@entry=1, v=..., v@entry=..., fallbackArg=..., skipStackHits=skipStackHits@entry=0) at js/src/jsopcode.cpp:1831
#3  0x0000000000672284 in JS::ForOfIterator::init (this=this@entry=0x7fffffffb970, iterable=iterable@entry=..., nonIterableBehavior=nonIterableBehavior@entry=JS::ForOfIterator::ThrowOnNonIterable) at js/src/vm/ForOfIterator.cpp:75
#4  0x00000000005747ab in js::MapObject::construct (cx=0x7ffff691b4e0, argc=2, vp=0x7fffffffc3c8) at js/src/builtin/MapObject.cpp:1251
#5  0x0000000000682902 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x574410 <js::MapObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#6  0x00000000006719d3 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#7  0x0000000000673493 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffffc550, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:558
#8  0x0000000000674a54 in js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff695c800, cx=cx@entry=0x7ffff691b4e0, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1275
#9  0x0000000000663a13 in js::Debugger::dispatchHook (cx=cx@entry=0x7ffff691b4e0, vp=..., vp@entry=..., which=which@entry=js::Debugger::OnExceptionUnwind, payload=...) at js/src/vm/Debugger.cpp:1397
#10 0x0000000000663d1e in js::Debugger::slowPathOnExceptionUnwind (cx=cx@entry=0x7ffff691b4e0, frame=...) at js/src/vm/Debugger.cpp:730
#11 0x000000000066636b in onExceptionUnwind (frame=..., cx=0x7ffff691b4e0) at js/src/vm/Debugger-inl.h:58
#12 HandleError (regs=..., cx=0x7ffff691b4e0) at js/src/vm/Interpreter.cpp:1110
#13 Interpret (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:3637
#14 0x0000000000671738 in js::RunScript (cx=cx@entry=0x7ffff691b4e0, state=...) at js/src/vm/Interpreter.cpp:452
#15 0x0000000000678746 in js::ExecuteKernel (cx=cx@entry=0x7ffff691b4e0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:660
#16 0x000000000067a810 in js::Execute (cx=cx@entry=0x7ffff691b4e0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:703
#17 0x0000000000a5a07e in ExecuteScript (cx=cx@entry=0x7ffff691b4e0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4101
#18 0x0000000000a5a1fb in JS_ExecuteScript (cx=cx@entry=0x7ffff691b4e0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4123
#19 0x00000000004252db in RunFile (compileOnly=false, file=0x7ffff6990400, filename=0x7fffffffdf78 "min.js", cx=0x7ffff691b4e0) at js/src/shell/js.cpp:466
#20 Process (cx=cx@entry=0x7ffff691b4e0, filename=0x7fffffffdf78 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#21 0x0000000000472b62 in ProcessArgs (op=0x7fffffffda00, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:5754
#22 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x7ffff691b4e0) at js/src/shell/js.cpp:6020
#23 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6362
rax	0x0	0
rbx	0x7ffff691b4e0	140737330132192
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb580	140737488336256
rsp	0x7fffffffacb0	140737488334000
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffaa70	140737488333424
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffae10	140737488334352
r13	0x1	1
r14	0x7fffffffb590	140737488336272
r15	0x0	0
rip	0xb029f2 <DecompileExpressionFromStack(JSContext*, int, int, JS::HandleValue, char**)+2066>
=> 0xb029f2 <DecompileExpressionFromStack(JSContext*, int, int, JS::HandleValue, char**)+2066>:	movl   $0x6d1,0x0
   0xb029fd <DecompileExpressionFromStack(JSContext*, int, int, JS::HandleValue, char**)+2077>:	callq  0x423010 <abort@plt>


4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Nicolas B. Pierron
date:        Thu Jul 24 04:30:50 2014 -0700
summary:     Bug 1039607 - Scalar Replacement support dynamic slots. r=h4writer

This iteration took 2.890 seconds to run.
Flags: needinfo?(nicolas.b.pierron)
To be honest, I do not yet see how Scalar Replacement would play here, as all type seen in the test cases are builtins.
I can reproduce this issue with  --no-ion --no-baseline
Running git bisect on my own highlight:

* cb89c616 - Bug 716647 - Part 6 1/2: Add shell function to deterministically request interrupt. (r=jimb) <Shu-yu Guo>
* 7cec2c2 - Bug 716647 - Part 6: Tests. (r=jimb) <Shu-yu Guo>
* Bug 716647 - Part 5 1/2: Support rematerialized frames in DebugScopes::updateLiveScope. (r=jimb) <Shu-yu Guo>
* Bug 716647 - Part 5: Relax the no on-stack scripts restriction for addDebuggee. (r=jimb) <Shu-yu Guo>
* Bug 986767 - Fix adjusting stepModeCount when removing a debuggee global from inside the onStep handler. (r=jimb) <Shu-yu Guo>
* Bug 716647 - Part 4: Recompile on-stack baseline scripts when toggling debug mode. (r=jandem) <Shu-yu Guo>
* Bug 716647 - Part 3: Support rematerializing Ion frames on the stack. (r=jandem) <Shu-yu Guo>
* Bug 716647 - Part 2: Bailout in place instead of directly to catch on Ion exception when Debugger is on. (r=jandem) <Shu-yu Guo>
* Bug 716647 - Part 1: Introduce JS_OPTIMIZED_OUT magic for optimized out slots and teach Debugger about them. (r=jandem) <Shu-yu Guo>

Shu, maybe you might have a better idea of what is going on?
Flags: needinfo?(nicolas.b.pierron) → needinfo?(shu)

Comment 4

4 years ago
Created attachment 8592482 [details] [diff] [review]
The expression decompiler can't make the assumption that it's called directly from script.
Attachment #8592482 - Flags: review?(bhackett1024)


4 years ago
Flags: needinfo?(shu)
Attachment #8592482 - Flags: review?(bhackett1024) → review+
Last Resolved: 4 years ago
status-firefox40: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.