Closed Bug 1264975 Opened 4 years ago Closed 4 years ago

Assertion failure: this->is<T>(), at js/src/jsobj.h:548 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 10f66b316457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    var completion = frame.eval(code);
  };
})(this);
evalReturningScope('var a = evalInFrame(0, "a.push")');



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x000000000046aae2 in JSObject::as<js::CallObject> (this=<optimized out>) at js/src/jsobj.h:548
#0  0x000000000046aae2 in JSObject::as<js::CallObject> (this=<optimized out>) at js/src/jsobj.h:548
#1  0x0000000000b0d503 in as<js::CallObject> (this=<optimized out>) at js/src/vm/ScopeObject.cpp:1683
#2  (anonymous namespace)::DebugScopeProxy::handleUnaliasedAccess (cx=cx@entry=0x7ffff6908800, debugScope=debugScope@entry=..., scope=scope@entry=..., id=id@entry=..., action=action@entry=(anonymous namespace)::DebugScopeProxy::GET, vp=..., vp@entry=..., accessResult=accessResult@entry=0x7fffffffa720, this=<optimized out>) at js/src/vm/ScopeObject.cpp:1694
#3  0x0000000000b0daf5 in (anonymous namespace)::DebugScopeProxy::get (this=<optimized out>, cx=0x7ffff6908800, proxy=..., receiver=..., id=..., vp=...) at js/src/vm/ScopeObject.cpp:2154
#4  0x00000000009b9599 in js::Proxy::get (cx=0x7ffff6908800, proxy=..., receiver_=..., id=..., vp=...) at js/src/proxy/Proxy.cpp:299
#5  0x0000000000719230 in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6908800) at js/src/vm/NativeObject.h:1474
#6  GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6908800) at js/src/jsobj.h:832
#7  js::FetchName<false> (cx=0x7ffff6908800, obj=..., obj2=..., name=..., shape=..., vp=...) at js/src/vm/Interpreter-inl.h:191
#8  0x0000000000a88948 in GetNameOperation (vp=..., pc=0x7ffff699519c ";", fp=<optimized out>, cx=0x7ffff6908800) at js/src/vm/Interpreter.cpp:258
#9  Interpret (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:2969
#10 0x0000000000a8fb28 in js::RunScript (cx=cx@entry=0x7ffff6908800, state=...) at js/src/vm/Interpreter.cpp:426
#11 0x0000000000a92999 in js::ExecuteKernel (cx=cx@entry=0x7ffff6908800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffb240) at js/src/vm/Interpreter.cpp:704
#12 0x0000000000a04d52 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=<optimized out>, pc=<optimized out>, frame=..., env=..., cx=0x7ffff6908800, chars=...) at js/src/vm/Debugger.cpp:7375
#13 DebuggerGenericEval (cx=cx@entry=0x7ffff6908800, fullMethodName=fullMethodName@entry=0xf0cbc7 "Debugger.Frame.prototype.eval", code=..., evalWithBindings=evalWithBindings@entry=EvalWithDefaultBindings, bindings=..., options=..., vp=..., dbg=dbg@entry=0x7ffff694f800, scope=..., scope@entry=..., iter=iter@entry=0x7fffffffb5c8) at js/src/vm/Debugger.cpp:7508
#14 0x0000000000a05e72 in DebuggerFrame_eval (cx=0x7ffff6908800, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:7522
#15 0x0000000000a93812 in js::CallJSNative (cx=0x7ffff6908800, native=0xa05c00 <DebuggerFrame_eval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#16 0x0000000000a8fda7 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#17 0x0000000000a9008b in InternalCall (cx=cx@entry=0x7ffff6908800, args=...) at js/src/vm/Interpreter.cpp:525
#18 0x0000000000a901ca in js::Call (cx=cx@entry=0x7ffff6908800, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:544
#19 0x00000000009c095a in js::DirectProxyHandler::call (this=this@entry=0x1c68000 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff6908800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:82
#20 0x00000000009c0b12 in js::CrossCompartmentWrapper::call (this=0x1c68000 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6908800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:291
#21 0x00000000009b8dd2 in js::Proxy::call (cx=0x7ffff6908800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:390
#22 0x00000000009b8ea2 in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:682
#23 0x0000000000a93812 in js::CallJSNative (cx=0x7ffff6908800, native=0x9b8df0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#46 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7455
rax	0x0	0
rbx	0x7fffffffa8f0	140737488333040
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa5a0	140737488332192
rsp	0x7fffffffa5a0	140737488332192
r8	0x7ffff7fdf7c0	140737354004416
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffa360	140737488331616
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffffa760	140737488332640
r13	0x7ffff6908800	140737330055168
r14	0x7fffffffa740	140737488332608
r15	0x1	1
rip	0x46aae2 <JSObject::as<js::CallObject>()+28>
=> 0x46aae2 <JSObject::as<js::CallObject>()+28>:	movl   $0x224,0x0
   0x46aaed <JSObject::as<js::CallObject>()+39>:	callq  0x4ab5c0 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f19fec531e71
user:        Shu-yu Guo
date:        Sun Jun 21 11:49:57 2015 -0700
summary:     Bug 1165486 - Replace the PlainObj varobj with NonSyntacticVariablesObject. (r=luke)

This iteration took 0.632 seconds to run.
Setting needinfo as per comment 1.
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Attachment #8742535 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/315627acd221
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.