Closed Bug 1232655 Opened 10 years ago Closed 10 years ago

Assertion failure: !JSID_IS_ATOM(id, cx->names().dotThis), at js/src/vm/ScopeObject.cpp:680

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
1.29 KB, patch
shu
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 871d92a1b070 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): g = newGlobal(); Debugger(g).onDebuggerStatement = function (frame) frame.eval("this.x"); g.eval("(function () { with ({}) debugger })()"); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000aa3912 in with_HasProperty (cx=0x7ffff6907400, obj=..., id=..., foundp=0x7fffffff9990) at js/src/vm/ScopeObject.cpp:680 #0 0x0000000000aa3912 in with_HasProperty (cx=0x7ffff6907400, obj=..., id=..., foundp=0x7fffffff9990) at js/src/vm/ScopeObject.cpp:680 #1 0x00000000008aa2b9 in HasProperty (foundp=0x7fffffff9990, id=..., obj=..., cx=0x7ffff6907400) at js/src/vm/NativeObject.h:1458 #2 JS_HasPropertyById (cx=cx@entry=0x7ffff6907400, obj=obj@entry=..., id=id@entry=..., foundp=foundp@entry=0x7fffffff9990) at js/src/jsapi.cpp:2455 #3 0x0000000000aa4486 in (anonymous namespace)::DebugScopeProxy::has (this=<optimized out>, cx=0x7ffff6907400, proxy=..., id_=..., bp=0x7fffffff9b10) at js/src/vm/ScopeObject.cpp:2218 #4 0x000000000099fbf4 in js::Proxy::has (cx=0x7ffff6907400, proxy=proxy@entry=..., id=..., bp=bp@entry=0x7fffffff9b10) at js/src/proxy/Proxy.cpp:248 #5 0x000000000099fc3f in js::proxy_LookupProperty (cx=<optimized out>, obj=..., id=..., objp=..., propp=...) at js/src/proxy/Proxy.cpp:541 #6 0x000000000092da21 in js::LookupProperty (cx=cx@entry=0x7ffff6907400, obj=..., obj@entry=..., id=id@entry=..., objp=..., objp@entry=..., propp=..., propp@entry=...) at js/src/jsobj.cpp:2147 #7 0x000000000092f2b0 in js::LookupName (cx=cx@entry=0x7ffff6907400, name=..., name@entry=..., scopeChain=..., scopeChain@entry=..., objp=..., objp@entry=..., pobjp=pobjp@entry=..., propp=propp@entry=...) at js/src/jsobj.cpp:2158 #8 0x0000000000a67b1e in GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:236 #9 Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2896 #10 0x0000000000a75447 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391 #11 0x0000000000a7ae11 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffffa570) at js/src/vm/Interpreter.cpp:650 #12 0x00000000009ec07e in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6907400, chars=...) at js/src/vm/Debugger.cpp:6712 #13 DebuggerGenericEval (cx=cx@entry=0x7ffff6907400, fullMethodName=fullMethodName@entry=0xe6e71a "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694e000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffa8f8) at js/src/vm/Debugger.cpp:6844 #14 0x00000000009eced2 in DebuggerFrame_eval (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6858 #15 0x0000000000a7d102 in js::CallJSNative (cx=0x7ffff6907400, native=0x9ecc40 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #16 0x0000000000a756a7 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444 #17 0x0000000000a65faa in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2771 #18 0x0000000000a75447 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391 #19 0x0000000000a7576c in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462 #20 0x0000000000a76349 in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffb740, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:496 #21 0x00000000009dfa7a in js::Debugger::fireDebuggerStatement (this=this@entry=0x7ffff694e000, cx=cx@entry=0x7ffff6907400, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1240 #22 0x00000000009dfd85 in operator() (dbg=0x7ffff694e000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:700 #23 dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda3, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::__lambda4> (fireHook=..., cx=0x7ffff6907400, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1443 #24 js::Debugger::slowPathOnDebuggerStatement (cx=cx@entry=0x7ffff6907400, frame=...) at js/src/vm/Debugger.cpp:701 #25 0x0000000000a6f242 in onDebuggerStatement (frame=..., cx=0x7ffff6907400) at js/src/vm/Debugger-inl.h:50 [...] #50 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877 rax 0x0 0 rbx 0x7ffff6907400 140737330050048 rcx 0x7ffff6ca53b0 140737333842864 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9920 140737488328992 rsp 0x7fffffff98e0 140737488328928 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffff96a0 140737488328352 r11 0x7ffff6c27960 140737333328224 r12 0x7fffffff99e0 140737488329184 r13 0x7fffffff99c0 140737488329152 r14 0x7fffffff9990 140737488329104 r15 0x7fffffff9990 140737488329104 rip 0xaa3912 <with_HasProperty(JSContext*, JS::HandleObject, JS::HandleId, bool*)+290> => 0xaa3912 <with_HasProperty(JSContext*, JS::HandleObject, JS::HandleId, bool*)+290>: movl $0x2a8,0x0 0xaa391d <with_HasProperty(JSContext*, JS::HandleObject, JS::HandleId, bool*)+301>: callq 0x4a3d40 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/52d7c9292ecf user: Jan de Mooij date: Sat Nov 21 14:33:13 2015 +0100 summary: Bug 1132183 - Make |this| a real binding, remove lazy this computation. r=efaust,shu This iteration took 306.599 seconds to run.
Jan, is bug 1132183 a likely regressor?
Blocks: 1132183
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
DebugScopeProxy::has was doing a lookup for .this on the underlying scope object, a DynamicWithObject in this case.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8699449 - Flags: review?(shu)
Comment on attachment 8699449 [details] [diff] [review] Patch Review of attachment 8699449 [details] [diff] [review]: ----------------------------------------------------------------- Nice catch, fuzzers. ::: js/src/vm/ScopeObject.cpp @@ +2208,5 @@ > *bp = true; > return true; > } > + if (isThis(cx, id)) { > + *bp = isFunctionScopeWithThis(scopeObj); Perhaps a comment above the if that we can't look up '.this' as a normal binding.
Attachment #8699449 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/354b8fe359b2
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: