Closed Bug 1254185 Opened 4 years ago Closed 4 years ago

Assertion failure: isFunctionScope(scope) && scope.as<CallObject>().callee().nonLazyScript()->argumentsHasVarBinding(), at js/src/vm/ScopeObject.cpp:1913 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox47 --- wontfix
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    var completion = frame.eval(code);
  };
})(this);
function foo() {
{
    let x = arguments;
    assertEq(evalInFrame(0, "x"), 5);
}
} foo();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000b02eae in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=..., v=..., v@entry=..., cx=0x7ffff6907800) at js/src/vm/ScopeObject.cpp:1911
#0  0x0000000000b02eae in (anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue (scope=..., v=..., v@entry=..., cx=0x7ffff6907800) at js/src/vm/ScopeObject.cpp:1911
#1  0x0000000000b359e0 in (anonymous namespace)::DebugScopeProxy::get (this=<optimized out>, cx=0x7ffff6907800, proxy=..., receiver=..., id=..., vp=...) at js/src/vm/ScopeObject.cpp:2122
#2  0x00000000009aa519 in js::Proxy::get (cx=0x7ffff6907800, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:300
#3  0x000000000070ee44 in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6907800) at js/src/vm/NativeObject.h:1474
#4  GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6907800) at js/src/jsobj.h:830
#5  js::FetchName<false> (cx=0x7ffff6907800, obj=..., obj2=..., name=..., shape=..., vp=...) at js/src/vm/Interpreter-inl.h:191
#6  0x0000000000aaa71c in GetNameOperation (vp=..., pc=0x7ffff69929ac ";", fp=<optimized out>, cx=0x7ffff6907800) at js/src/vm/Interpreter.cpp:260
#7  Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:2940
#8  0x0000000000ab8828 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:428
#9  0x0000000000aba373 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffbdb0) at js/src/vm/Interpreter.cpp:684
#10 0x00000000009f4e6c in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6907800, chars=...) at js/src/vm/Debugger.cpp:7000
#11 DebuggerGenericEval (cx=cx@entry=0x7ffff6907800, fullMethodName=fullMethodName@entry=0xed1e88 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff6950000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffc108) at js/src/vm/Debugger.cpp:7133
#12 0x00000000009f5b52 in DebuggerFrame_eval (cx=0x7ffff6907800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:7147
#13 0x0000000000abb9e2 in js::CallJSNative (cx=0x7ffff6907800, native=0x9f58e0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#14 0x0000000000ab8b11 in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#15 0x0000000000ab962c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=<optimized out>, argv=0x7ffff45af1e0, rval=...) at js/src/vm/Interpreter.cpp:530
#16 0x00000000009a5987 in js::DirectProxyHandler::call (this=this@entry=0x1c36ff0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6907800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#17 0x00000000009aaae2 in js::CrossCompartmentWrapper::call (this=0x1c36ff0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6907800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#18 0x00000000009a9aba in js::Proxy::call (cx=0x7ffff6907800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:391
#19 0x00000000009a9b8a in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:683
#20 0x0000000000abb9e2 in js::CallJSNative (cx=0x7ffff6907800, native=0x9a9ae0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#32 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7250
rax	0x0	0
rbx	0x7ffff7e6a1c0	140737352475072
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffb200	140737488335360
rsp	0x7fffffffb1f0	140737488335344
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffafb0	140737488334768
r11	0x7ffff6c27ee0	140737333329632
r12	0x1be30c0	29241536
r13	0x7fffffffb270	140737488335472
r14	0x7fffffffb250	140737488335440
r15	0x1	1
rip	0xb02eae <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue, JSContext*)+78>
=> 0xb02eae <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue, JSContext*)+78>:	movl   $0x779,0x0
   0xb02eb9 <(anonymous namespace)::DebugScopeProxy::isMagicMissingArgumentsValue(js::ScopeObject&, JS::HandleValue, JSContext*)+89>:	callq  0x4a6f30 <abort()>
Keywords: crash
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fe70a6c9a374
user:        Shu-yu Guo
date:        Mon Dec 15 18:21:09 2014 -0800
summary:     Bug 1109964 - Recover missing arguments in DebugScopeProxy when the optimized arguments comes from a non-'arguments' slot. (r=luke)

This iteration took 193.219 seconds to run.
Shu-yu, is bug 1109964 a likely regressor?
Blocks: 1109964
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Attachment #8731944 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/574e8c5132b9
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Patch substitutes some DEBUG only code for some other DEBUG only code. No need to uplift. WONTFIX 47
You need to log in before you can comment on or make changes to this bug.