Closed Bug 1640034 Opened 4 years ago Closed 4 years ago

Capturing a SavedFrame stack from inside a Debugger eval can cause assertion failures

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: loganfsmyth, Assigned: loganfsmyth)

Details

Attachments

(1 file)

Bug 1640034 - Ensure that we don't bail when we need the parent frame created. r=jorendorff!
47 bytes, text/x-phabricator-request
Details | Review

The following snippet reproduces:

const global = newGlobal({ newCompartment: true });
const dbg = new Debugger(global);
dbg.onDebuggerStatement = function() {
  const frame = dbg.getNewestFrame();

  bindToAsyncStack(function() {
    frame.eval(`saveStack()`);
  }, {
    stack: saveStack(),
  })();
};
global.eval(`debugger;`);

The inline comment explains most of this, but essentially because we bail out
of the FrameIter loop early when we find an asyncStack, we can end up with
cases where the a Debugger eval's parent frame either hasn't been populated in
the LiveSavedFrameCache at all, or else has been, but is not instantiated
in the correct realm.

This patch avoids that by no longer bailing when asyncStacks are found, and
instead traversing the whole stack still to make sure that the invariants
for the LiveSavedFrameCache are preserved properly.

Depends on D76425

Severity: -- → S3
Priority: -- → P2
Pushed by loganfsmyth@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/eb657b731e1a
Ensure that we don't bail when we need the parent frame created. r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/eb657b731e1a

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: