Assertion failure: obj->getClass() == &class_, at js/src/debugger/Debugger-inl.h:14 or Crash [@ js::Debugger::wrapVariantReferent] with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
(Regression)
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
The following testcase crashes on mozilla-central revision b0124f065629 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
var lfOffThreadGlobal = newGlobal();
evaluate(`
nukeAllCCWs();
var g92 = newGlobal({ newCompartment: true });
var dbg = Debugger(g92);
var gdbg = dbg.addDebuggee(g92);
gdbg.setInstrumentation(
gdbg.makeDebuggeeValue((kind, script, offset) => {}),
["breakpoint"]
);
gdbg.setInstrumentationActive(true);
g92.eval(\`
function basic() {}
\`);
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::Debugger::fromJSObject (obj=<optimized out>) at js/src/debugger/Debugger-inl.h:14
#1 0x0000555555e2bdbc in js::DebugAPI::getScriptInstrumentationId (cx=0x7ffff5f23000, dbgObject=..., dbgObject@entry=..., script=script@entry=..., rval=...) at js/src/debugger/Debugger.cpp:6415
#2 0x0000555555a57e46 in js::RealmInstrumentation::getScriptId (cx=<optimized out>, global=..., script=..., id=id@entry=0x7fffffffa4f4) at js/src/vm/Instrumentation.cpp:238
#3 0x0000555555a5818e in js::InstrumentationScriptIdOperation (cx=<optimized out>, script=..., rv=...) at js/src/vm/Instrumentation.cpp:263
#4 0x00005555558d54b8 in Interpret (cx=0x7ffff5f23000, state=...) at js/src/vm/Interpreter.cpp:4372
[...]
#40 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11375
rax 0x555557d12200 93825033904640
rbx 0x7ffff5f23000 140737319677952
rcx 0x555556ca00e0 93825016660192
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffa3c0 140737488331712
rsp 0x7fffffffa3c0 140737488331712
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6cc0 140737354034368
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffa780 140737488332672
r13 0x7fffffffa438 140737488331832
r14 0x7fffffffa470 140737488331888
r15 0x7ffff5f6e800 140737319987200
rip 0x555555e45d39 <js::Debugger::fromJSObject(JSObject const*)+89>
=> 0x555555e45d39 <js::Debugger::fromJSObject(JSObject const*)+89>: movl $0x0,0x0
0x555555e45d44 <js::Debugger::fromJSObject(JSObject const*)+100>: ud2
|
||
Updated•6 years ago
|
Due to skipped revisions, the first bad revision could be any of:
changeset: https://hg.mozilla.org/mozilla-central/rev/e802face8e04
user: Brian Hackett
date: Mon Jul 08 09:41:21 2019 -1000
summary: Bug 1554524 Part 4 - Add Debugger interface for instrumenting scripts, r=jimb,tcampbell.
changeset: https://hg.mozilla.org/mozilla-central/rev/5ff79e46fcf4
user: Brian Hackett
date: Mon Jul 08 10:23:34 2019 -1000
summary: Bug 1554524 Part 5 - Emit instrumentation opcodes when they have been set in a realm, r=tcampbell.
changeset: https://hg.mozilla.org/mozilla-central/rev/b0817ca77a5a
user: Brian Hackett
date: Mon Jul 08 10:24:28 2019 -1000
summary: Bug 1554524 Part 6 - Disallow XDR in realms using instrumentation, r=tcampbell.
changeset: https://hg.mozilla.org/mozilla-central/rev/51161275a65e
user: Brian Hackett
date: Mon Jul 08 10:25:21 2019 -1000
summary: Bug 1554524 Part 7 - Add interpreter and JIT support for instrumentation opcodes, r=jandem,tcampbell.
Brian, is bug 1554524 a likely regressor?
|
Assignee | |
Comment 2•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
||
Comment 4•5 years ago
|
||
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•3 years ago
|
Description
•