Closed
Bug 1252111
Opened 10 years ago
Closed 6 years ago
Assertion failure: observing, at js/src/vm/Debugger.cpp:2360
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1608891
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | wontfix |
People
(Reporter: decoder, Unassigned, NeedInfo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
The following testcase crashes on mozilla-central revision 4972f77869de (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-eager):
g = newGlobal();
dbg = Debugger(g);
dbg.onEnterFrame = function () {}
dbg.collectCoverageInfo = true;
g.eval("");
dbg.collectCoverageInfo = false;
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000009d5bf8 in UpdateExecutionObservabilityOfScriptsInZone (cx=cx@entry=0x7ffff6907800, zone=<optimized out>, obs=..., observing=observing@entry=js::Debugger::NotObserving) at js/src/vm/Debugger.cpp:2360
#0 0x00000000009d5bf8 in UpdateExecutionObservabilityOfScriptsInZone (cx=cx@entry=0x7ffff6907800, zone=<optimized out>, obs=..., observing=observing@entry=js::Debugger::NotObserving) at js/src/vm/Debugger.cpp:2360
#1 0x00000000009d5da8 in js::Debugger::updateExecutionObservabilityOfScripts (cx=cx@entry=0x7ffff6907800, obs=..., observing=observing@entry=js::Debugger::NotObserving) at js/src/vm/Debugger.cpp:2376
#2 0x00000000009d9336 in js::Debugger::updateExecutionObservability (cx=0x7ffff6907800, obs=..., observing=js::Debugger::NotObserving) at js/src/vm/Debugger.cpp:2392
#3 0x00000000009db326 in js::Debugger::updateObservesCoverageOnDebuggees (this=this@entry=0x7ffff6950800, cx=cx@entry=0x7ffff6907800, observing=js::Debugger::NotObserving) at js/src/vm/Debugger.cpp:2538
#4 0x00000000009db44c in js::Debugger::setCollectCoverageInfo (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:3254
#5 0x0000000000ac0642 in js::CallJSNative (cx=0x7ffff6907800, native=0x9db3b0 <js::Debugger::setCollectCoverageInfo(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#37 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x0 0
rcx 0x7ffff6ca588d 140737333844109
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffbd00 140737488338176
rsp 0x7fffffffb820 140737488336928
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffb5e0 140737488336352
r11 0x7ffff6c27ee0 140737333329632
r12 0x7fffffffb940 140737488337216
r13 0x7fffffffbdf0 140737488338416
r14 0x7fffffffb880 140737488337024
r15 0x7ffff69a5000 140737330696192
rip 0x9d5bf8 <UpdateExecutionObservabilityOfScriptsInZone(JSContext*, JS::Zone*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+1944>
=> 0x9d5bf8 <UpdateExecutionObservabilityOfScriptsInZone(JSContext*, JS::Zone*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+1944>: movl $0x938,0x0
0x9d5c03 <UpdateExecutionObservabilityOfScriptsInZone(JSContext*, JS::Zone*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving)+1955>: callq 0x4a6780 <abort()>
|
||
Updated•10 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/1ac20ebb3bd7
user: Nicolas B. Pierron
date: Wed Sep 16 21:11:34 2015 +0200
summary: Bug 1176880 part 1 - Add a flag on the Debugger & Compartment to record code-coverage information. r=shu
This iteration took 208.086 seconds to run.
|
|
||
Comment 3•10 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Nicolas, is bug 1176880 a likely regressor?
Yes, I will investigate it once I have time.
|
|
||
Comment 4•10 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #3)
> Yes, I will investigate it once I have time.
Note, I did not prioritize this bug yet for the following reasons:
- Access to the Debugger object requires privilege, so there is no more access to gain with such crash.
- Code coverage is, for the moment, only used to collect info from our test suite. (which did not report any similar issue yet)
As long as we do not plan to add Code Coverage as part of the devtools, which I wish we did, I do not think this bug needs any higher priority than "once I have time".
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 6•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 506facea6316).
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:bisectfix]
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
|
|
||
Comment 7•9 years ago
|
||
JSBugMon: Fix Bisection requested, result:
Due to skipped revisions, the first good revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user: Shu-yu Guo
date: Thu Aug 25 01:28:47 2016 -0700
summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)
changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user: Shu-yu Guo
date: Thu Aug 25 01:28:47 2016 -0700
summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn)
This iteration took 0.628 seconds to run.
Shu-yu / Nicolas, is bug 1263355 a likely fix?
Flags: needinfo?(shu)
|
||
Comment 9•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #8)
> Shu-yu / Nicolas, is bug 1263355 a likely fix?
I didn't know what the original bug was, couldn't really say.
Flags: needinfo?(shu)
|
|
||
Comment 10•9 years ago
|
||
The original bug seems to be that we could not trash baseline code, and replace it by a version of Baseline code which has code coverage enabled.
Honestly, I would think that this issue might have disappeared when we enabled Branch Pruning by default, back in June / July.
Maybe we can still reproduce this issue by running the JS shell with --ion-pgo=off.
| Comment hidden (obsolete) |
$ ./js-dbg-64-clang-darwin-181336fdda66 --fuzzing-safe --ion-eager --ion-pgo=off 1252111.js
Assertion failure: observing, at /Users/skywalker/trees/mozilla-central/js/src/vm/Debugger.cpp:2520
Segmentation fault: 11
$ ./js-dbg-64-clang-darwin-18bec78f348e --fuzzing-safe --ion-eager --ion-pgo=off 1252111.js
$
I double checked properly this time with --ion-pgo=off and the issue still cannot be reproduced.
Since this might just be a fixed Baseline/JIT issue, Jan, do you mind landing this testcase (to ensure it doesn't happen again), and resolve it WFM?
Flags: needinfo?(nicolas.b.pierron) → needinfo?(jdemooij)
|
||
Comment 14•9 years ago
|
||
Forwarding to nbp as this is related to code coverage.
Flags: needinfo?(jdemooij) → needinfo?(nicolas.b.pierron)
:nbp, re-ping for needinfo? on landing testcase.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P2
|
|
||
Updated•8 years ago
|
Flags: needinfo?(nicolas.b.pierron)
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•