Closed Bug 1275012 Opened 8 years ago Closed 5 years ago

Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 with Debugger.Script.getOffsetLocation

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: decoder, Assigned: loganfsmyth)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:testComment=3,origRev=8ec327de0ba7]) 

The following testcase crashes on mozilla-central revision 16663eb3dcfa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):

g = newGlobal()
evaluate(`
  function lit() {
    debugger;
    switch(0) {
      case "nope": break;
      case 1: return;
    }
  }
`, { 0: 0, global: g });
dbg = Debugger(g);
function test(s) {
    dbg.onDebuggerStatement = function(frame) {
        frame.onStep = function() {
            this.script.getOffsetLocation(this.offset).lineNumber;
        }
    }
    g.eval(s);
}
test("lit()")



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000009f340f in DebuggerScript_getOffsetLocation (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5713
#0  0x00000000009f340f in DebuggerScript_getOffsetLocation (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5713
#1  0x0000000000a6f312 in js::CallJSNative (cx=0x7ffff6908c00, native=0x9f2d80 <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#2  0x0000000000a6ba67 in js::InternalCallOrConstruct (cx=0x7ffff6908c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480
#3  0x0000000000a6bd4b in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525
#4  0x0000000000a6be5a in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:531
#5  0x0000000000d72061 in js::jit::DoCallFallback (cx=0x7ffff6908c00, frame=0x7fffffffab98, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffab40, res=...) at js/src/jit/BaselineIC.cpp:5973
#6  0x00007ffff7fe9f2f in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffa590	140737488332176
rcx	0x7ffff6ca5870	140737333844080
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffa610	140737488332304
rsp	0x7fffffffa430	140737488331824
r8	0x7ffff7fdf7c0	140737354004416
r9	0x0	0
r10	0x7fffffffa1f0	140737488331248
r11	0x7ffff6c27ee0	140737333329632
r12	0x0	0
r13	0x7fffffffa4b0	140737488331952
r14	0x7fffffffa4d0	140737488331984
r15	0x7fffffffa468	140737488331880
rip	0x9f340f <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1679>
=> 0x9f340f <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1679>:	movl   $0x1651,0x0
   0x9f341a <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1690>:	callq  0x4b2d30 <abort()>
Blocks: 1261826
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/4bb616c2f912
user:        Nicolas B. Pierron
date:        Tue May 17 17:15:52 2016 +0000
summary:     Bug 1261826 part 8.1 - Make Debugger.Script.getOffsetLocation only consider entry point locations. r=shu

This iteration took 224.350 seconds to run.
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P3
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
g = newGlobal()
evaluate(`
  function lit() {
    debugger;
    switch(0) {
      case "nope": break;
      case 1: return;
    }
  }
`, { 0: 0, global: g });
dbg = Debugger(g);
function test(s) {
    dbg.onDebuggerStatement = function(frame) {
        frame.onStep = function() {
            this.script.getOffsetLocation(this.offset).lineNumber;
        }
    }
    g.eval(s);
}
test("lit()")

asserts js shell compiled with --enable-debug on m-c rev 8ec327de0ba7 using --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments at Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:6387

Summary: Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 → Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 with Debugger.Script.getOffsetLocation
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,testComment=3,origRev=8ec327de0ba7]

Also setting firefox66 as affected, and needinfo? from :jimb since this is Debugger-related.

status-firefox66: --- → affected
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update,testComment=3,origRev=8ec327de0ba7] → [jsbugmon:testComment=3,origRev=8ec327de0ba7]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5c934ede1cfc
user: Logan Smyth
date: Wed Feb 13 02:31:00 2019 +0000
summary: Bug 1518661 - Part 5: Give SpiderMonkey well-defined sense of step and breakpoint locations. r=jimb,bhackett

Jim/Jason, is bug 1518661 a likely fix? (I can't seem to reproduce the testcase in comment 3 on m-c tip)

Flags: needinfo?(jorendorff)

Yes.

Flags: needinfo?(jorendorff)

Fixed by bug 1518661.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jimb)
Resolution: --- → FIXED
Assignee: nobody → lsmyth
status-firefox49: affected → ---
status-firefox-esr60: --- → wontfix
Depends on: breakpoint-specificity
You need to log in before you can comment on or make changes to this bug.