Closed
Bug 1260728
Opened 8 years ago
Closed 8 years ago
Assertion failure: analyzedArgsUsage(), at js/src/jsscript.h:1515 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla49
People
(Reporter: decoder, Assigned: fitzgen)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file, 1 obsolete file)
The following testcase crashes on mozilla-central revision d5d53a3b4e50 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --disable-oom-functions):
var g = newGlobal();
var dbg = new Debugger(g);
dbg.onNewScript = function(script) {
fscript = script.getChildScripts()[0];
}
g.eval("function f(x) { arguments[0] = 3; return x }");
fscript.setBreakpoint(0, {hit:function(frame) {
assertEq(frame.eval("assertEq(arguments, undefined)").return, 1);
}});
assertEq(g.f(1), 42);
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004687d2 in JSScript::needsArgsObj (this=<optimized out>) at js/src/jsscript.h:1515
#0 0x00000000004687d2 in JSScript::needsArgsObj (this=<optimized out>) at js/src/jsscript.h:1515
#1 0x0000000000b115ad in needsArgsObj (this=<optimized out>) at js/src/debug64/dist/include/js/RootingAPI.h:667
#2 isMissingArguments (scope=..., id=..., cx=0x7ffff6908800) at js/src/vm/ScopeObject.cpp:1928
#3 (anonymous namespace)::DebugScopeProxy::get (this=<optimized out>, cx=0x7ffff6908800, proxy=..., receiver=..., id=..., vp=...) at js/src/vm/ScopeObject.cpp:2197
#4 0x00000000009c01c9 in js::Proxy::get (cx=0x7ffff6908800, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:299
#5 0x000000000071c624 in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6908800) at js/src/vm/NativeObject.h:1476
#6 GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6908800) at js/src/jsobj.h:830
#7 js::FetchName<false> (cx=0x7ffff6908800, obj=..., obj2=..., name=..., shape=..., vp=...) at js/src/vm/Interpreter-inl.h:191
#8 0x0000000000a8f458 in GetNameOperation (vp=..., pc=0x7ffff698c5c6 ";", fp=<optimized out>, cx=0x7ffff6908800) at js/src/vm/Interpreter.cpp:258
#9 Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2947
#10 0x0000000000a966a8 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#11 0x0000000000a99279 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffa8f0) at js/src/vm/Interpreter.cpp:684
#12 0x0000000000a0a0f2 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6908800, chars=...) at js/src/vm/Debugger.cpp:7233
#13 DebuggerGenericEval (cx=cx@entry=0x7ffff6908800, fullMethodName=fullMethodName@entry=0xefd435 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694f000, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffac78) at js/src/vm/Debugger.cpp:7366
#14 0x0000000000a0b212 in DebuggerFrame_eval (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:7380
#15 0x0000000000a9a202 in js::CallJSNative (cx=0x7ffff6908800, native=0xa0afa0 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#43 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443
rax 0x0 0
rbx 0x7ffff6908800 140737330055168
rcx 0x7ffff6ca5870 140737333844080
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffff9d90 140737488330128
rsp 0x7fffffff9d90 140737488330128
r8 0x7ffff7fdf7c0 140737354004416
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffff9b50 140737488329552
r11 0x7ffff6c27ee0 140737333329632
r12 0x7fffffff9f90 140737488330640
r13 0x7ffff5400000 140737308000256
r14 0x7fffffff9dd0 140737488330192
r15 0x7fffffff9df0 140737488330224
rip 0x4687d2 <JSScript::needsArgsObj() const+28>
=> 0x4687d2 <JSScript::needsArgsObj() const+28>: movl $0x5eb,0x0
0x4687dd <JSScript::needsArgsObj() const+39>: callq 0x4a9b00 <abort()>autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/29e5dcfb97f7 user: Tom Schuster date: Tue Oct 06 17:04:09 2015 +0100 summary: Bug 1211832 - Disable functions that can easily cause artificial OOMs. r=jonco Tom, is bug 1211832 a likely regressor?
Blocks: 1211832
Flags: needinfo?(evilpies)
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Comment 2•8 years ago
|
||
I don't think so. Nothing here uses OOMAtAllocation, OOMAfterAllocations or GCParameter.
Flags: needinfo?(evilpies)
Moving over to our Debugger folks then.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
|
Assignee | |
Comment 4•8 years ago
|
||
I can reproduce.
Assignee: nobody → nfitzgerald
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
|
|
Assignee | |
Comment 5•8 years ago
|
||
First Debugger frame on the stack was last touched Thu Jan 21 20:01:18 2016, and all the other frames' blames are even older than that (2012-early 2015): f0f2c29d Bug 1234845 part 10 - Remove ExecuteType and InitialFrameFlags enums. r=luke
|
|
Assignee | |
Comment 6•8 years ago
|
||
Ok so I am not really sure what the root cause is here, so this is a pretty blunt approach. But it seems to work. If there is a finer, more precise approach, please point me in the correct direction... I have this nagging feeling that this patch is fixing one specific symptom arising from a larger bug.
Attachment #8758873 -
Flags: review?(shu)
|
|
Assignee | |
Comment 7•8 years ago
|
||
Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=d795e6a87476
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8758873 [details] [diff] [review] Ensure that the script has had its arguments usage analyzed before we get arguments in the debugger Review of attachment 8758873 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/ScopeObject.cpp @@ +2161,5 @@ > Rooted<DebugScopeObject*> debugScope(cx, &proxy->as<DebugScopeObject>()); > Rooted<ScopeObject*> scope(cx, &proxy->as<DebugScopeObject>().scope()); > > + if (!ensureHasAnalyzedArgsUsage(cx, *scope)) > + return false; You're right that calling ensureHasAnalyzedArgsUsage on the script is the thing to do, but DebugScopeProxy::get isn't the place to do it. I see that we call the function in DebuggerArguments_getArg right now and we're missing it in eval-in-frame. I don't think performance will be an issue here, so it'll be more reassuring to aggressively call ensureHasAnalyzedArgsUsage on the scripts of all frames we reflect via Debugger.Frame. Mind doing that?
Attachment #8758873 -
Flags: review?(shu)
|
|
Assignee | |
Comment 9•8 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #8) > Comment on attachment 8758873 [details] [diff] [review] > Ensure that the script has had its arguments usage analyzed before we get > arguments in the debugger > > Review of attachment 8758873 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/vm/ScopeObject.cpp > @@ +2161,5 @@ > > Rooted<DebugScopeObject*> debugScope(cx, &proxy->as<DebugScopeObject>()); > > Rooted<ScopeObject*> scope(cx, &proxy->as<DebugScopeObject>().scope()); > > > > + if (!ensureHasAnalyzedArgsUsage(cx, *scope)) > > + return false; > > You're right that calling ensureHasAnalyzedArgsUsage on the script is the > thing to do, but DebugScopeProxy::get isn't the place to do it. > > I see that we call the function in DebuggerArguments_getArg right now and > we're missing it in eval-in-frame. I don't think performance will be an > issue here, so it'll be more reassuring to aggressively call > ensureHasAnalyzedArgsUsage on the scripts of all frames we reflect via > Debugger.Frame. Mind doing that? Thanks, this was exactly the kind of review I was hoping for!
|
|
Assignee | |
Updated•8 years ago
|
Attachment #8758873 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 11•8 years ago
|
||
Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ff9eea6d0d5c
|
|
||
Updated•8 years ago
|
Attachment #8758976 -
Flags: review?(shu) → review+
|
|
Assignee | |
Updated•8 years ago
|
Keywords: checkin-needed
|
||
Comment 12•8 years ago
|
||
Pushed by cbook@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/403b82279b76 Ensure that the script has had its arguments usage analyzed before we get arguments in the debugger; r=shu
Keywords: checkin-needed
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 13•8 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision e27fe24a746f).
|
||
Comment 14•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/403b82279b76
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox49:
--- → fixed
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Target Milestone: --- → mozilla49
You need to log in
before you can comment on or make changes to this bug.
Description
•