Closed Bug 1223007 Opened 9 years ago Closed 9 years ago

Assertion failure: CheckVarNameConflict(cx, lexicalScope, dn), at js/src/vm/Interpreter-inl.h:532

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox45 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Fix eval redeclaration check for Debugger.Frame.eval.
13.45 KB, patch
efaust
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision e2a910c048dc (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --no-threads):

evalInFrame = function(global) {
   dbgGlobal = newGlobal()
   dbg = new dbgGlobal.Debugger
   return function(upCount, code) {
       dbg.addDebuggee(global)
       dbg.getNewestFrame().older
           .older
           .eval(code)
   }
}(this);
let x;
function callee() evalInFrame(1, "var x = 'success'");
callee();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000009f3f8a in js::DefVarOperation (cx=cx@entry=0x7ffff6907400, varobj=varobj@entry=..., dn=dn@entry=..., attrs=attrs@entry=1) at js/src/vm/Interpreter-inl.h:532
#0  0x00000000009f3f8a in js::DefVarOperation (cx=cx@entry=0x7ffff6907400, varobj=varobj@entry=..., dn=dn@entry=..., attrs=attrs@entry=1) at js/src/vm/Interpreter-inl.h:532
#1  0x00000000009e525f in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3248
#2  0x00000000009ed787 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:430
#3  0x00000000009efd3c in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffffbf00) at js/src/vm/Interpreter.cpp:703
#4  0x00000000009a6ac0 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., thisv=..., env=..., cx=0x7ffff6907400, chars=...) at js/src/vm/Debugger.cpp:6671
#5  DebuggerGenericEval (cx=cx@entry=0x7ffff6907400, fullMethodName=fullMethodName@entry=0xe696fc "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694e000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffc288) at js/src/vm/Debugger.cpp:6822
#6  0x00000000009a7f12 in DebuggerFrame_eval (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6836
#7  0x00000000009f1152 in js::CallJSNative (cx=0x7ffff6907400, native=0x9a7ca0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#8  0x00000000009eda00 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#9  0x00000000009eee55 in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff52471d8, rval=...) at js/src/vm/Interpreter.cpp:542
#10 0x000000000095a927 in js::DirectProxyHandler::call (this=this@entry=0x1be5f80 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907400, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#11 0x000000000094f9b2 in js::CrossCompartmentWrapper::call (this=0x1be5f80 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907400, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#12 0x0000000000959da2 in js::Proxy::call (cx=0x7ffff6907400, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#13 0x0000000000959e72 in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:710
#14 0x00000000009f1152 in js::CallJSNative (cx=0x7ffff6907400, native=0x959dc0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#15 0x00000000009edc70 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477
#16 0x00000000009df983 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2798
#17 0x00000000009ed787 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:430
#18 0x00000000009efd3c in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:703
#19 0x00000000009f0200 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:742
#20 0x000000000084663e in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4389
#21 0x00000000008467d3 in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4422
#22 0x0000000000428b3f in RunFile (compileOnly=false, file=0x7ffff52e6000, filename=0x7fffffffe058 "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:510
#23 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe058 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:629
#24 0x0000000000485fda in ProcessArgs (op=0x7fffffffdb00, cx=0x7ffff6907400) at js/src/shell/js.cpp:6017
#25 Shell (envp=<optimized out>, op=0x7fffffffdb00, cx=0x7ffff6907400) at js/src/shell/js.cpp:6320
#26 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6677
rax	0x0	0
rbx	0x7ffff6907400	140737330050048
rcx	0x7ffff6ca53b0	140737333842864
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb5d0	140737488336336
rsp	0x7fffffffb510	140737488336144
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffb2d0	140737488335568
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffb840	140737488336960
r13	0x7fffffffb580	140737488336256
r14	0x7ffff7e61070	140737352437872
r15	0x7fffffffb8e0	140737488337120
rip	0x9f3f8a <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+602>
=> 0x9f3f8a <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+602>:	movl   $0x214,0x0
   0x9f3f95 <js::DefVarOperation(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, unsigned int)+613>:	callq  0x4a6ce0 <abort()>
Also refactors out the redecl checks out of Interpreter-inl, since, in
retrospect, they do not need to be inline and are probably not hot.
Attachment #8685178 - Flags: review?(efaustbmo)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ac0aa2c21379
user:        Shu-yu Guo
date:        Tue Oct 06 14:00:30 2015 -0700
summary:     Bug 589199 - Implement all-or-nothing redeclaration checks for global and eval scripts. (r=efaust)

This iteration took 239.343 seconds to run.
Comment on attachment 8685178 [details] [diff] [review]
Fix eval redeclaration check for Debugger.Frame.eval.

Review of attachment 8685178 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/ScopeObject.cpp
@@ +3041,5 @@
> +        scope = &obj->as<ScopeT>();
> +    else if (obj->is<DebugScopeObject>() && obj->as<DebugScopeObject>().scope().is<ScopeT>())
> +        scope = &obj->as<DebugScopeObject>().scope().as<ScopeT>();
> +    else
> +        return true;

this seems weird. Isn't this like a hangin' offense? Or doe we just not know what kind of scope object it is at all?
Attachment #8685178 - Flags: review?(efaustbmo) → review+
(In reply to Eric Faust [:efaust] from comment #3)
> Comment on attachment 8685178 [details] [diff] [review]
> Fix eval redeclaration check for Debugger.Frame.eval.
> 
> Review of attachment 8685178 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/vm/ScopeObject.cpp
> @@ +3041,5 @@
> > +        scope = &obj->as<ScopeT>();
> > +    else if (obj->is<DebugScopeObject>() && obj->as<DebugScopeObject>().scope().is<ScopeT>())
> > +        scope = &obj->as<DebugScopeObject>().scope().as<ScopeT>();
> > +    else
> > +        return true;
> 
> this seems weird. Isn't this like a hangin' offense? Or doe we just not know
> what kind of scope object it is at all?

Non-ClonedBlockObject and CallObject scopes cannot contain lexical bindings, so there's no way they would conflict.
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision faf815a0fa9b).
https://hg.mozilla.org/mozilla-central/rev/96e37b2953d3
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
Blocks: 589199
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: