TI: "Assertion failure: script->code <= pc && pc < endpc,"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 538050 [details]
stack

var e = newGlobal("new-compartment");
for (let w in [0, 0, 0, 0, 0, 0, 0, 0]) {
    -e;
}

asserts js debug shell on JM changeset a53db4f2d235 with -j at Assertion failure: script->code <= pc && pc < endpc,
(Reporter)

Comment 1

7 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   71039:afe33041f481
user:        Brian Hackett
date:        Tue Jun 07 17:44:07 2011 -0700
summary:     [INFER] Make sure to get the topmost scripted frame's pc in ContextStack::currentScript, bug 662562.
Blocks: 662562
Keywords: regression
OS: Linux → All
Hardware: x86 → All
The problem is that using currentScript in js_InferFlags made a very subtle change to the semantics, where we called Detecting when the topmost frame is a dummy frame (for a cross compartment wrapper), breaking the assert being tripped here (as cx->fp() does not correspond to the script being tested).

I'd like to fix this by making stack.currentScript and stack.currentScriptedScopeChain return NULL if the topmost scripted frame is in another compartment.  I don't think there's any sane way we could behave by trying to use a frame or script from another compartment.  It would also be nice to do this for js_GetScriptedCaller, but this is used by the debug API and I have no idea what behavior is expected here.  Luke, thoughts?
Return NULL for currentScript() if the topmost scripted frame is in a different compartment from cx->compartment.  Doesn't change js_GetScriptedCaller's behavior, though this function isn't called much now that currentScript and currentScriptedScopeChain exist.  currentScriptedScopeChain is already guaranteed to return an object from cx->compartment.

http://hg.mozilla.org/projects/jaegermonkey/rev/279a046a56cd
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug662841.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.