Closed
Bug 1233915
Opened 8 years ago
Closed 8 years ago
Assertion failure: evalInFramePrev.isFunctionFrame() || evalInFramePrev.isGlobalFrame(), at js/src/vm/Stack.cpp:54 with parseModule
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1233117
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 0babaa3edcf9 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):
g = newGlobal()
g.parent = this
g.eval("(" + function() {
Debugger(parent)
.onExceptionUnwind = function(frame)
frame.eval("")
} + ")()")
m = parseModule(` s1 `)
m.declarationInstantiation()
m.evaluation()
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000adf469 in js::InterpreterFrame::initExecuteFrame (this=this@entry=0x7ffff3a782a0, cx=cx@entry=0x7ffff6907400, script=script@entry=..., evalInFramePrev=..., newTargetValue=..., scopeChain=..., scopeChain@entry=..., type=type@entry=js::EXECUTE_DEBUG) at js/src/vm/Stack.cpp:54
#0 0x0000000000adf469 in js::InterpreterFrame::initExecuteFrame (this=this@entry=0x7ffff3a782a0, cx=cx@entry=0x7ffff6907400, script=script@entry=..., evalInFramePrev=..., newTargetValue=..., scopeChain=..., scopeChain@entry=..., type=type@entry=js::EXECUTE_DEBUG) at js/src/vm/Stack.cpp:54
#1 0x0000000000adf73a in js::InterpreterStack::pushExecuteFrame (this=<optimized out>, cx=0x7ffff6907400, script=..., newTargetValue=..., scopeChain=..., type=js::EXECUTE_DEBUG, evalInFrame=...) at js/src/vm/Stack.cpp:525
#2 0x0000000000a43bc2 in js::ExecuteState::pushInterpreterFrame (this=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:345
#3 0x0000000000a65abd in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:1601
#4 0x0000000000a75cb7 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391
#5 0x0000000000a7b671 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., result=result@entry=0x7fffffffa8b0) at js/src/vm/Interpreter.cpp:650
#6 0x00000000009ecbce in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6907400, chars=...) at js/src/vm/Debugger.cpp:6713
#7 DebuggerGenericEval (cx=cx@entry=0x7ffff6907400, fullMethodName=fullMethodName@entry=0xe6e636 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694e000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffac38) at js/src/vm/Debugger.cpp:6845
#8 0x00000000009eda22 in DebuggerFrame_eval (cx=0x7ffff6907400, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6859
#9 0x0000000000a7d962 in js::CallJSNative (cx=0x7ffff6907400, native=0x9ed790 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#10 0x0000000000a75f17 in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444
#11 0x0000000000a668ba in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:2766
#12 0x0000000000a75cb7 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:391
#13 0x0000000000a75fdc in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:462
#14 0x0000000000a76ba9 in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffffbae0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:496
#15 0x00000000009eddad in js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff694e000, cx=cx@entry=0x7ffff6907400, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1269
#16 0x00000000009ee0e1 in operator() (dbg=0x7ffff694e000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:741
#17 dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda5, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::__lambda6> (fireHook=..., cx=0x7ffff6907400, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1444
#18 js::Debugger::slowPathOnExceptionUnwind (cx=cx@entry=0x7ffff6907400, frame=...) at js/src/vm/Debugger.cpp:742
#19 0x0000000000a66563 in onExceptionUnwind (frame=..., cx=0x7ffff6907400) at js/src/vm/Debugger-inl.h:58
#20 HandleError (regs=..., cx=0x7ffff6907400) at js/src/vm/Interpreter.cpp:1142
#21 Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3908
[...]
#42 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6877
rax 0x0 0
rbx 0x7ffff3a782a0 140737281229472
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff9f60 140737488330592
rsp 0x7fffffff9ab0 140737488329392
r8 0x7ffff7fd4780 140737353959296
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9870 140737488328816
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff6907400 140737330050048
r13 0x7fffffff9ac0 140737488329408
r14 0x7fffffffa718 140737488332568
r15 0x7fffffffa6e0 140737488332512
rip 0xadf469 <js::InterpreterFrame::initExecuteFrame(JSContext*, JS::Handle<JSScript*>, js::AbstractFramePtr, JS::Value const&, JS::Handle<JSObject*>, js::ExecuteType)+777>
=> 0xadf469 <js::InterpreterFrame::initExecuteFrame(JSContext*, JS::Handle<JSScript*>, js::AbstractFramePtr, JS::Value const&, JS::Handle<JSObject*>, js::ExecuteType)+777>: movl $0x36,0x0
0xadf474 <js::InterpreterFrame::initExecuteFrame(JSContext*, JS::Handle<JSScript*>, js::AbstractFramePtr, JS::Value const&, JS::Handle<JSObject*>, js::ExecuteType)+788>: callq 0x4a3d80 <abort()>
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/db4c17553be9 user: Jon Coppeard date: Wed Sep 23 15:47:40 2015 +0100 summary: Bug 930414 - Implement ModuleEvaluation method r=shu This iteration took 0.833 seconds to run.
Jon, is bug 930414 a likely regressor?
Blocks: 930414
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 3•8 years ago
|
||
This is the same issue as bug 1233117.
Assignee: nobody → jcoppeard
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•