Closed Bug 1502015 Opened 3 years ago Closed 3 years ago

Assertion failure: stepperCount == trappingScript->stepModeCount(), at js/src/vm/Debugger.cpp:2382

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1501666
Tracking Status
firefox64 --- fix-optional
firefox65 --- fix-optional

People

(Reporter: decoder, Unassigned)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

The following testcase crashes on mozilla-central revision 3cc04ee79005 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

let g = newGlobal();
g.eval("function* f() {}");
function test(ttl) {
    let dbg = new Debugger(g);
    dbg.onEnterFrame = frame => {
        frame.onStep = () => {};
    };
    let result = g.f();
}
for (let ttl = 0; !test(ttl); ttl++) {}


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555555f33be1 in js::Debugger::onSingleStep (cx=<optimized out>, vp=...) at js/src/vm/Debugger.cpp:2382
#1  0x000055555595c32d in Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:2240
#2  0x000055555595ecd6 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447
#3  0x000055555595f2ef in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:587
#4  0x000055555595f84d in InternalCall (cx=cx@entry=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#5  0x000055555595f9d0 in js::Call (cx=cx@entry=0x7ffff5f18000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:633
#6  0x0000555555ea8015 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f18000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:178
#7  0x0000555555e92183 in js::CrossCompartmentWrapper::call (this=0x5555577c6790 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:355
#8  0x0000555555e9f3b5 in js::Proxy::call (cx=0x7ffff5f18000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:560
#9  0x000055555595f6ae in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f18000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:535
#10 0x000055555595f84d in InternalCall (cx=0x7ffff5f18000, args=...) at js/src/vm/Interpreter.cpp:614
#11 0x0000555555951eec in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:620
#12 Interpret (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:3462
#13 0x000055555595ecd6 in js::RunScript (cx=0x7ffff5f18000, state=...) at js/src/vm/Interpreter.cpp:447
#14 0x00005555559614ed in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:813
#15 0x00005555559618e9 in js::Execute (cx=<optimized out>, cx@entry=0x7ffff5f18000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:846
#16 0x0000555555ef1393 in ExecuteScript (cx=0x7ffff5f18000, scope=scope@entry=..., script=..., rval=rval@entry=0x0) at js/src/vm/CompilationAndEvaluation.cpp:394
#17 0x0000555555ef4790 in JS_ExecuteScript (cx=<optimized out>, scriptArg=...) at js/src/vm/CompilationAndEvaluation.cpp:429
#18 0x00005555557de08e in RunFile (compileOnly=false, file=<optimized out>, filename=0x7fffffffdfce "test.js", cx=0x7ffff5f18000) at js/src/shell/js.cpp:923
#19 Process (cx=0x7ffff5f18000, filename=0x7fffffffdfce "test.js", forceTTY=<optimized out>, kind=<optimized out>) at js/src/shell/js.cpp:1400
#20 0x00005555557debd2 in ProcessArgs (cx=<optimized out>, op=0x7fffffffd980) at js/src/shell/js.cpp:10015
#21 0x00005555557eb98f in Shell (envp=<optimized out>, op=0x7fffffffd980, cx=<optimized out>) at js/src/shell/js.cpp:10457
#22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10965
rax	0x0	0
rbx	0x7fffffffba30	140737488337456
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffbf50	140737488338768
rsp	0x7fffffffb9a0	140737488337312
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff4d951c0	140737301270976
r13	0x7ffff4dc0160	140737301447008
r14	0x7fffffffb9f0	140737488337392
r15	0x7ffff5f1b170	140737319645552
rip	0x555555f33be1 <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1329>
=> 0x555555f33be1 <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1329>:	movl   $0x0,0x0
   0x555555f33bec <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1340>:	ud2
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1501666
You need to log in before you can comment on or make changes to this bug.