Closed
Bug 1193362
Opened 9 years ago
Closed 9 years ago
Crash [@ getFixedSlot] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1191499
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
The following testcase crashes on mozilla-central revision 0e269a1f1beb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):
var g = newGlobal();
var dbg = new Debugger;
g.eval("" + function f(d) { h(d); });
g.eval("" + function h(d) {
var i = 0;
while (d)
interruptIf(delete arguments.length && i++ == 4000);
});
setInterruptCallback(function () {
dbg.addDebuggee(g);
var frame = dbg.getNewestFrame();
frame.eval("d = false;");
});
g.eval("(" + function () { f(true);} + ")();");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
getFixedSlot (slot=1, this=0x7ffff5400460) at js/src/vm/NativeObject.h:858
#0 getFixedSlot (slot=1, this=0x7ffff5400460) at js/src/vm/NativeObject.h:858
#1 data (this=0x7ffff5400460) at js/src/vm/ArgumentsObject.h:136
#2 setArg (v=..., i=0, this=0x7ffff5400460) at js/src/vm/ArgumentsObject.h:241
#3 (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=cx@entry=0x7ffff6907000, debugScope=..., debugScope@entry=..., scope=..., scope@entry=..., id=..., id@entry=..., action=action@entry=(anonymous namespace)::DebugScopeProxy::SET, vp=..., vp@entry=..., accessResult=accessResult@entry=0x7fffffff8f20, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1303
#4 0x0000000000742272 in (anonymous namespace)::DebugScopeProxy::set (this=<optimized out>, cx=0x7ffff6907000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/vm/ScopeObject.cpp:1628
#5 0x0000000000bee01c in js::Proxy::set (cx=0x7ffff6907000, proxy=..., id=..., v=..., receiver=..., result=...) at js/src/proxy/Proxy.cpp:326
#6 0x0000000000b44574 in JSObject::nonNativeSetProperty (cx=cx@entry=0x7ffff6907000, obj=..., id=..., v=..., receiver=..., result=...) at js/src/jsobj.cpp:1050
#7 0x0000000000702288 in js::SetProperty (cx=cx@entry=0x7ffff6907000, obj=..., obj@entry=..., id=..., id@entry=..., v=..., receiver=..., receiver@entry=..., result=...) at js/src/vm/NativeObject.h:1433
#8 0x0000000000702954 in js::SetNameOperation (cx=cx@entry=0x7ffff6907000, script=<optimized out>, pc=<optimized out>, scope=scope@entry=..., val=...) at js/src/vm/Interpreter-inl.h:296
#9 0x00000000006a9f2b in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:2823
#10 0x00000000006b754b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:714
#11 0x00000000006caad9 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907000, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffff9ba0) at js/src/vm/Interpreter.cpp:955
#12 0x00000000006cc058 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., thisv=..., env=..., cx=0x7ffff6907000, chars=...) at js/src/vm/Debugger.cpp:6418
#13 DebuggerGenericEval (cx=cx@entry=0x7ffff6907000, fullMethodName=fullMethodName@entry=0xe0b136 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff695b800, scope=..., scope@entry=..., iter=iter@entry=0x7fffffff9f28) at js/src/vm/Debugger.cpp:6571
#14 0x00000000006ccc92 in DebuggerFrame_eval (cx=0x7ffff6907000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6585
#15 0x00000000006d0b92 in js::CallJSNative (cx=0x7ffff6907000, native=0x6cca00 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#16 0x00000000006b7c32 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773
#17 0x00000000006aa8ca in Interpret (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:3035
#18 0x00000000006b754b in js::RunScript (cx=cx@entry=0x7ffff6907000, state=...) at js/src/vm/Interpreter.cpp:714
#19 0x00000000006b7d44 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:791
#20 0x00000000006b8b79 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=0, argv=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828
#21 0x0000000000ac870b in JS_CallFunctionValue (cx=cx@entry=0x7ffff6907000, obj=obj@entry=..., fval=..., fval@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4612
#22 0x0000000000486843 in ShellInterruptCallback (cx=0x7ffff6907000) at js/src/shell/js.cpp:378
#23 0x0000000000717876 in InvokeInterruptCallback (cx=0x7ffff6907000) at js/src/vm/Runtime.cpp:553
#24 0x00007ffff7fedb49 in ?? ()
[...]
#51 0x00007fffffffb9f0 in ?? ()
#52 0x00000000008598ad in EnterBaseline (cx=0x0, cx@entry=<error reading variable: Cannot access memory at address 0xfff9000000000008>, data=...) at js/src/jit/BaselineJIT.cpp:125
rax 0x7ffff5400460 140737308001376
rbx 0x7ffff6907000 140737330049024
rcx 0xffffffff 4294967295
rdx 0xfffc2b2b2b2b2b2b -1078435499005141
rsi 0x0 0
rdi 0x7fffffff8e40 140737488326208
rbp 0x7fffffff8ee0 140737488326368
rsp 0x7fffffff8e10 140737488326160
r8 0x9 9
r9 0x48cc1646 1221334598
r10 0x7ffff6991c00 140737330617344
r11 0x1ae6c50 28208208
r12 0x0 0
r13 0x7fffffff8e90 140737488326288
r14 0x7fffffff8e40 140737488326208
r15 0x0 0
rip 0x741850 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+880>
=> 0x741850 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+880>: cmpl $0xfffffff,0x10(%rdx)
0x741857 <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+887>: jbe 0x741fae <(anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess(JSContext*, JS::Handle<js::DebugScopeObject*>, JS::Handle<js::ScopeObject*>, JS::HandleId, (anonymous namespace)::DebugScopeProxy::Action, JS::MutableHandleValue, (anonymous namespace)::DebugScopeProxy::AccessResult*)+2766>
|
||
Comment 1•9 years ago
|
||
Debug and Scope, looks like a pretty solid candidate for shu?
Flags: needinfo?(shu)
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(shu)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•