Closed
Bug 1223007
Opened 9 years ago
Closed 9 years ago
Assertion failure: CheckVarNameConflict(cx, lexicalScope, dn), at js/src/vm/Interpreter-inl.h:532
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla45
Tracking | Status | |
---|---|---|
firefox45 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
13.45 KB,
patch
|
efaust
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e2a910c048dc (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --no-threads): evalInFrame = function(global) { dbgGlobal = newGlobal() dbg = new dbgGlobal.Debugger return function(upCount, code) { dbg.addDebuggee(global) dbg.getNewestFrame().older .older .eval(code) } }(this); let x; function callee() evalInFrame(1, "var x = 'success'"); callee(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000009f3f8a in js::DefVarOperation (cx=cx@entry=0x7ffff6907400, varobj=varobj@entry=..., dn=dn@entry=..., attrs=attrs@entry=1) at js/src/vm/Interpreter-inl.h:532 #0 0x00000000009f3f8a in js::DefVarOperation (cx=cx@entry=0x7ffff6907400, varobj=varobj@entry=..., dn=dn@entry=..., attrs=attrs@entry=1) at js/src/vm/Interpreter-inl.h:532 #1 0x00000000009e525f in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3248 #2 0x00000000009ed787 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:430 #3 0x00000000009efd3c in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffffbf00) at js/src/vm/Interpreter.cpp:703 #4 0x00000000009a6ac0 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., thisv=..., env=..., cx=0x7ffff6907400, chars=...) at js/src/vm/Debugger.cpp:6671 #5 DebuggerGenericEval (cx=cx@entry=0x7ffff6907400, fullMethodName=fullMethodName@entry=0xe696fc "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694e000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffc288) at js/src/vm/Debugger.cpp:6822 #6 0x00000000009a7f12 in DebuggerFrame_eval (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6836 #7 0x00000000009f1152 in js::CallJSNative (cx=0x7ffff6907400, native=0x9a7ca0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #8 0x00000000009eda00 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #9 0x00000000009eee55 in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff52471d8, rval=...) at js/src/vm/Interpreter.cpp:542 #10 0x000000000095a927 in js::DirectProxyHandler::call (this=this@entry=0x1be5f80 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907400, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #11 0x000000000094f9b2 in js::CrossCompartmentWrapper::call (this=0x1be5f80 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907400, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #12 0x0000000000959da2 in js::Proxy::call (cx=0x7ffff6907400, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412 #13 0x0000000000959e72 in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:710 #14 0x00000000009f1152 in js::CallJSNative (cx=0x7ffff6907400, native=0x959dc0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #15 0x00000000009edc70 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477 #16 0x00000000009df983 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2798 #17 0x00000000009ed787 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:430 #18 0x00000000009efd3c in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:703 #19 0x00000000009f0200 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:742 #20 0x000000000084663e in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4389 #21 0x00000000008467d3 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4422 #22 0x0000000000428b3f in RunFile (compileOnly=false, file=0x7ffff52e6000, filename=0x7fffffffe058 "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:510 #23 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe058 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:629 #24 0x0000000000485fda in ProcessArgs (op=0x7fffffffdb00, cx=0x7ffff6907400) at js/src/shell/js.cpp:6017 #25 Shell (envp=<optimized out>, op=0x7fffffffdb00, cx=0x7ffff6907400) at js/src/shell/js.cpp:6320 #26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6677 rax 0x0 0 rbx 0x7ffff6907400 140737330050048 rcx 0x7ffff6ca53b0 140737333842864 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffb5d0 140737488336336 rsp 0x7fffffffb510 140737488336144 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffb2d0 140737488335568 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffffb840 140737488336960 r13 0x7fffffffb580 140737488336256 r14 0x7ffff7e61070 140737352437872 r15 0x7fffffffb8e0 140737488337120 rip 0x9f3f8a <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+602> => 0x9f3f8a <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+602>: movl $0x214,0x0 0x9f3f95 <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+613>: callq 0x4a6ce0 <abort()>
Comment 1•9 years ago
|
||
Also refactors out the redecl checks out of Interpreter-inl, since, in retrospect, they do not need to be inline and are probably not hot.
Attachment #8685178 -
Flags: review?(efaustbmo)
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 2•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ac0aa2c21379 user: Shu-yu Guo date: Tue Oct 06 14:00:30 2015 -0700 summary: Bug 589199 - Implement all-or-nothing redeclaration checks for global and eval scripts. (r=efaust) This iteration took 239.343 seconds to run.
Comment 3•9 years ago
|
||
Comment on attachment 8685178 [details] [diff] [review] Fix eval redeclaration check for Debugger.Frame.eval. Review of attachment 8685178 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/ScopeObject.cpp @@ +3041,5 @@ > + scope = &obj->as<ScopeT>(); > + else if (obj->is<DebugScopeObject>() && obj->as<DebugScopeObject>().scope().is<ScopeT>()) > + scope = &obj->as<DebugScopeObject>().scope().as<ScopeT>(); > + else > + return true; this seems weird. Isn't this like a hangin' offense? Or doe we just not know what kind of scope object it is at all?
Attachment #8685178 -
Flags: review?(efaustbmo) → review+
Comment 4•9 years ago
|
||
(In reply to Eric Faust [:efaust] from comment #3) > Comment on attachment 8685178 [details] [diff] [review] > Fix eval redeclaration check for Debugger.Frame.eval. > > Review of attachment 8685178 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/vm/ScopeObject.cpp > @@ +3041,5 @@ > > + scope = &obj->as<ScopeT>(); > > + else if (obj->is<DebugScopeObject>() && obj->as<DebugScopeObject>().scope().is<ScopeT>()) > > + scope = &obj->as<DebugScopeObject>().scope().as<ScopeT>(); > > + else > > + return true; > > this seems weird. Isn't this like a hangin' offense? Or doe we just not know > what kind of scope object it is at all? Non-ClonedBlockObject and CallObject scopes cannot contain lexical bindings, so there's no way they would conflict.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 6•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision faf815a0fa9b).
Comment 7•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/96e37b2953d3
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in
before you can comment on or make changes to this bug.
Description
•