Closed
Bug 1193362
Opened 9 years ago
Closed 9 years ago
Crash [@ getFixedSlot] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1191499
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision 0e269a1f1beb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): var g = newGlobal(); var dbg = new Debugger; g.eval("" + function f(d) { h(d); }); g.eval("" + function h(d) { var i = 0; while (d) interruptIf(delete arguments.length && i++ == 4000); }); setInterruptCallback(function () { dbg.addDebuggee(g); var frame = dbg.getNewestFrame(); frame.eval("d = false;"); }); g.eval("(" + function () { f(true);} + ")();"); Backtrace: Program received signal SIGSEGV, Segmentation fault. getFixedSlot (slot=1, this=0x7ffff5400460) at js/src/vm/NativeObject.h:858 #0 getFixedSlot (slot=1, this=0x7ffff5400460) at js/src/vm/NativeObject.h:858 #1 data (this=0x7ffff5400460) at js/src/vm/ArgumentsObject.h:136 #2 setArg (v=..., i=0, this=0x7ffff5400460) at js/src/vm/ArgumentsObject.h:241 #3 (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=cx@entry=0x7ffff6907000, debugScope=..., debugScope@entry=..., scope=..., scope@entry=..., id=..., id@entry=..., action=action@entry=(anonymous namespace)::DebugScopeProxy::SET, vp=..., vp@entry=..., accessResult=accessResult@entry=0x7fffffff8f20, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1303 #4 0x0000000000742272 in (anonymous namespace)::DebugScopeProxy::set (this=<optimized out>, cx=0x7ffff6907000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:1628 #5 0x0000000000bee01c in js::Proxy::set (cx=0x7ffff6907000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/proxy/Proxy.cpp:326 #6 0x0000000000b44574 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907000, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1050 #7 0x0000000000702288 in js::SetProperty (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=..., id@entry=..., v=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1433 #8 0x0000000000702954 in js::SetNameOperation (cx=cx@entry=0x7ffff6907000, script=<optimized out>, pc=<optimized out>, scope=scope@entry=..., val=...) at js/src/vm/Interpreter-inl.h:296 #9 0x00000000006a9f2b in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2823 #10 0x00000000006b754b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:714 #11 0x00000000006caad9 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffff9ba0) at js/src/vm/Interpreter.cpp:955 #12 0x00000000006cc058 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., thisv=..., env=..., cx=0x7ffff6907000, chars=...) at js/src/vm/Debugger.cpp:6418 #13 DebuggerGenericEval (cx=cx@entry=0x7ffff6907000, fullMethodName=fullMethodName@entry=0xe0b136 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff695b800, scope=..., scope@entry=..., iter=iter@entry=0x7fffffff9f28) at js/src/vm/Debugger.cpp:6571 #14 0x00000000006ccc92 in DebuggerFrame_eval (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6585 #15 0x00000000006d0b92 in js::CallJSNative (cx=0x7ffff6907000, native=0x6cca00 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #16 0x00000000006b7c32 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773 #17 0x00000000006aa8ca in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3035 #18 0x00000000006b754b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:714 #19 0x00000000006b7d44 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791 #20 0x00000000006b8b79 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828 #21 0x0000000000ac870b in JS_CallFunctionValue (cx=cx@entry=0x7ffff6907000, obj=obj@entry=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4612 #22 0x0000000000486843 in ShellInterruptCallback (cx=0x7ffff6907000) at js/src/shell/js.cpp:378 #23 0x0000000000717876 in InvokeInterruptCallback (cx=0x7ffff6907000) at js/src/vm/Runtime.cpp:553 #24 0x00007ffff7fedb49 in ?? () [...] #51 0x00007fffffffb9f0 in ?? () #52 0x00000000008598ad in EnterBaseline (cx=0x0, cx@entry=<error reading variable: Cannot access memory at address 0xfff9000000000008>, data=...) at js/src/jit/BaselineJIT.cpp:125 rax 0x7ffff5400460 140737308001376 rbx 0x7ffff6907000 140737330049024 rcx 0xffffffff 4294967295 rdx 0xfffc2b2b2b2b2b2b -1078435499005141 rsi 0x0 0 rdi 0x7fffffff8e40 140737488326208 rbp 0x7fffffff8ee0 140737488326368 rsp 0x7fffffff8e10 140737488326160 r8 0x9 9 r9 0x48cc1646 1221334598 r10 0x7ffff6991c00 140737330617344 r11 0x1ae6c50 28208208 r12 0x0 0 r13 0x7fffffff8e90 140737488326288 r14 0x7fffffff8e40 140737488326208 r15 0x0 0 rip 0x741850 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+880> => 0x741850 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+880>: cmpl $0xfffffff,0x10(%rdx) 0x741857 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+887>: jbe 0x741fae <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+2766>
Comment 1•9 years ago
|
||
Debug and Scope, looks like a pretty solid candidate for shu?
Flags: needinfo?(shu)
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•