Closed Bug 1561935 Opened 5 months ago Closed 5 months ago

Fix some bugs in HandleDebugTrap + DebugAfterYield interaction

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox69 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(1 file)

Seeing this when running jit-tests with my Baseline Interpreter patch stack, but it also affects Baseline. Run the tests below with --baseline-eager:

let g = newGlobal({newCompartment: true});
g.eval('function* f() { yield 1; yield 2; }');
let dbg = Debugger(g);
let genObj = null;
dbg.onEnterFrame = frame => {
    frame.onStep = function() {};
    if (genObj !== null) {
        dbg.removeDebuggee(g);
        dbg.addDebuggee(g);
    }
};
genObj = g.f();
for (let x of genObj) {}

Assertion failure: script->stepModeEnabled() || script->hasBreakpointsAt(pc), at jit/VMFunctions.cpp:1145

let g = newGlobal({newCompartment: true});
g.eval('function* f() { yield 1; yield 2; }');
let dbg = Debugger(g);
let genObj = null;
dbg.onEnterFrame = frame => {
    frame.onStep = function() {};
    if (genObj !== null) {
        dbg.removeDebuggee(g);
    }
};
genObj = g.f();
for (let x of genObj) {}

Assertion failure: frame->isDebuggee(), at jit/VMFunctions.cpp:1137

HandleDebugTrap calls DebugAfterYield, which can call the onEnterFrame debugger hook.
This hook can mess with debugger state so HandleDebugTrap needs to be a bit more
careful with its assertions.

Blocks: 1562129
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/42c0603e8464
Fix some bugs in HandleDebugTrap + DebugAfterYield interaction. r=jimb
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
You need to log in before you can comment on or make changes to this bug.