Closed
Bug 1155466
Opened 9 years ago
Closed 9 years ago
Assertion failure: !(IsAboutToBeFinalized(&staticScope_)), at js/src/vm/ScopeObject.cpp:1175
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | fixed |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
4.73 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision de27ac2ab94f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):
var g = newGlobal();
var dbg = Debugger(g);
var log = '';
dbg.onDebuggerStatement = function (frame) {
log += frame.environment.getVariable("x");
};
g.eval("for (let x = 0; x < 2; x++) debugger;");
gc();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000006a07e3 in js::LiveScopeVal::sweep (this=<optimized out>) at js/src/vm/ScopeObject.cpp:1175
#0 0x00000000006a07e3 in js::LiveScopeVal::sweep (this=<optimized out>) at js/src/vm/ScopeObject.cpp:1175
#1 0x00000000006c06da in js::DebugScopes::sweep (this=<optimized out>, rt=<optimized out>) at js/src/vm/ScopeObject.cpp:1914
#2 0x0000000000ab7388 in sweepDebugScopes (this=<optimized out>) at js/src/jscompartment.cpp:577
#3 js::gc::GCRuntime::beginSweepingZoneGroup (this=this@entry=0x7ffff693c348) at js/src/jsgc.cpp:4876
#4 0x0000000000ad4d01 in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x7ffff693c348, destroyingRuntime=destroyingRuntime@entry=false) at js/src/jsgc.cpp:5050
#5 0x0000000000ae0a9c in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c348, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:5803
#6 0x0000000000ae1966 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c348, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6000
#7 0x0000000000ae1d25 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c348, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6112
#8 0x0000000000ae256e in gc (reason=JS::gcreason::API, gckind=<optimized out>, this=<optimized out>) at js/src/jsgc.cpp:6173
#9 JS::GCForReason (rt=0x7ffff693c000, gckind=<optimized out>, reason=reason@entry=JS::gcreason::API) at js/src/jsgc.cpp:6998
#10 0x000000000051182b in GC (cx=0x7ffff691b4e0, argc=<optimized out>, vp=0x7fffffffc9b8) at js/src/builtin/TestingFunctions.cpp:260
#11 0x0000000000663492 in js::CallJSNative (cx=0x7ffff691b4e0, native=0x511740 <GC(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:235
#12 0x00000000006557b3 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:727
#13 0x0000000000657223 in js::Invoke (cx=cx@entry=0x7ffff691b4e0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x7fffffffcdd8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:783
#14 0x000000000085eaa3 in js::jit::DoCallFallback (cx=0x7ffff691b4e0, frame=0x7fffffffce08, stub_=<optimized out>, argc=0, vp=0x7fffffffcdc8, res=...) at js/src/jit/BaselineIC.cpp:9872
#15 0x00007ffff7feea4f in ?? ()
#16 0xfff9000000000000 in ?? ()
#17 0x00007fffffffcd80 in ?? ()
#18 0xfff9000000000000 in ?? ()
#19 0x00000000019ea640 in js::jit::DoSpreadCallFallbackInfo ()
#20 0x00007ffff5251a30 in ?? ()
#21 0x00007ffff7ff3a74 in ?? ()
#22 0x0000000000000402 in ?? ()
#23 0x00007fffffffce08 in ?? ()
#24 0x00007ffff6993c58 in ?? ()
#25 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fffffffb790 140737488336784
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffb730 140737488336688
rsp 0x7fffffffb730 140737488336688
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffb4f0 140737488336112
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff696d240 140737330467392
r13 0x7fffffffb750 140737488336720
r14 0x7fffffffb780 140737488336768
r15 0x7fffffffb760 140737488336736
rip 0x6a07e3 <js::LiveScopeVal::sweep()+51>
=> 0x6a07e3 <js::LiveScopeVal::sweep()+51>: movl $0x497,0x0
0x6a07ee <js::LiveScopeVal::sweep()+62>: callq 0x423410 <abort@plt>
|
||
Comment 1•9 years ago
|
||
Attachment #8593731 -
Flags: review?(jwalden+bmo)
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8593731 [details] [diff] [review] Freshened blocks should pop their old blocks in debug scopes. Review of attachment 8593731 [details] [diff] [review]: ----------------------------------------------------------------- This'll need to go on aurora, too -- looks straightforward enough.
Attachment #8593731 -
Flags: review?(jwalden+bmo) → review+
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 4•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150327091740" and the hash "acbab9e22691". The "bad" changeset has the timestamp "20150327093739" and the hash "2d59ec36a2e4". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=acbab9e22691&tochange=2d59ec36a2e4
|
||
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fd1a9a382e7b
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•