Assertion failure: liveStepperCount + suspendedStepperCount == trappingScript->stepperCount(), at js/src/dbg/Debugger.cpp:2599
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
People
(Reporter: decoder, Assigned: jimb)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 3e793ca066f2 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
gczeal(20, 7);
let g = newGlobal({newCompartment: true});
g.eval(`
function* f() {}
`);
function test(ttl) {
let dbg = new Debugger(g);
dbg.onEnterFrame = frame => {
frame.onStep = () => {};
};
result = g.f();
}
for (let ttl = 0; !test(ttl); ttl++) {}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::Debugger::onSingleStep (cx=<optimized out>, vp=..., vp@entry=...) at js/src/dbg/Debugger.cpp:2598
#1 0x000055555616c199 in js::jit::HandleDebugTrap (cx=<optimized out>, frame=0x7fffffffa6b0, retAddr=<optimized out>, mustReturn=0x7fffffffa664) at js/src/jit/VMFunctions.cpp:1162
#2 0x00000bfee6cd5b63 in ?? ()
[...]
#12 0x0000000000000000 in ?? ()
rax 0x555557e25180 93825035030912
rbx 0x7fffffffa060 140737488330848
rcx 0x555556cb7e50 93825016757840
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffa590 140737488332176
rsp 0x7fffffff9f90 140737488330640
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffa0a0 140737488330912
r13 0x15 21
r14 0x3b918ae44040 65496286511168
r15 0x7fffffffa110 140737488331024
rip 0x555555d9d791 <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1873>
=> 0x555555d9d791 <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1873>: movl $0x0,0x0
0x555555d9d79c <js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>)+1884>: ud2
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Iain, the --ion-offthread-compile=off suggest this might be an issue related to Debugging while being in IonMonkey. Can you investigate this issue, and maybe forward it to Jim if this is only a Debugger and a non-jit issue.
|
||
Comment 2•6 years ago
|
||
The test fails with no options, with |no-ion|, and with |--no-baseline --no-ion|. This does not appear to be a jit bug.
The precise value of the incorrect stepper counts are the same, regardless of options. However, if I play with the frequency set by gczeal, the numbers change. Also, if I convert g.f into a non-generator function, the bug goes away.
Without knowing this code at all, it looks like the code for counting hooks set on suspended generator frames might be incorrect post-GC? A tiny bit of poking around in rr shows that after a GC, suspendedStepperCount goes down, but trappingScript->stepperCount() does not.
Jim, want to take a look?
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/6c8949f053e0
user: Jason Orendorff
date: Tue Oct 23 23:24:11 2018 +0000
summary: Bug 1448880 - Part 6: Re-enable stepping when an async or generator frame with an .onStep hook is resumed. r=jimb
I'm guessing bug 1448880 is related.
|
||
Updated•6 years ago
|
|
|
||
Comment 4•6 years ago
|
||
|
Assignee | |
Comment 5•6 years ago
|
||
I can reproduce this. Taking.
I confirm that as per bug 1584195 comment 15, this bug is fixed by the patch over there in bug 1584195.
Jim, shall we mark this as FIXED?
Marking FIXED by bug 1584195.
|
|
||
Updated•6 years ago
|
|
|
||
Updated•4 years ago
|
Description
•