Closed
Bug 717417
Opened 13 years ago
Closed 13 years ago
[jsdbg2] Assertion failure: isFunctionFrame(), at js/src/vm/Stack-inl.h:75
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla12
People
(Reporter: decoder, Assigned: jimb)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
1.81 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
2.74 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following code asserts on mozilla-central (revision 4de07a341aab, options -n -m -a):
var lfcode = new Array();
lfcode.push("\
var g = newGlobal('new-compartment');\
var dbg = Debugger(g);\
dbg.onDebuggerStatement = function (frame) {\
assertEq(frame.eval(\"f();\"), null);\
};\
dbg.onExceptionUnwind = function (frame, exc) {\
log += 'u';\
};\
g.eval('debugger;');\
");
lfcode.push("var g = newGlobal('new-compartment');\
function LocalTZA() {}\
function LocalTime( t ) {\
return ( t + LocalTZA() + DaylightSavingTA(t) );\
}\
function DaylightSavingTA( t ) {\
var dst_start = GetDSTStart(t);\
}\
function GetFirstSundayInMonth( t, m ) {}\
function GetDSTStart( t ) {\
return (GetFirstSundayInMonth(t, 2) + 7*msPerDay + 2*msPerHour - LocalTZA());\
}\
addNewTestCase(\
'TDATE = new Date(0); TDATE.setMonth(1,1,1,1,1,1); TDATE',\
UTCDateFromTime(SetMonth(0,1,1)),\
LocalDateFromTime(SetMonth(0,1,1)) );\
function addNewTestCase( DateString, UTCDate, LocalDate) {}\
function UTCDateFromTime(t) {}\
function SetMonth( t, mon, date ) {\
var TIME = LocalTime(t);\
}\
");
evaluate(lfcode[0]);
evaluate(lfcode[1]);
Assignee | ||
Comment 1•13 years ago
|
||
Reproduced.
Assignee | ||
Updated•13 years ago
|
Assignee: jorendorff → jimb
Assignee | ||
Comment 2•13 years ago
|
||
Reduced:
var g = newGlobal('new-compartment');
var dbg = Debugger(g);
var frame;
dbg.onExceptionUnwind = function (f, x) {
frame = f;
assertEq(frame.live, true);
throw 'unhandled';
};
dbg.onDebuggerStatement = function(f) {
assertEq(f.eval('throw 42'), null);
assertEq(frame.live, false);
};
g.eval('debugger');
It seems like an unhandled exception from onExceptionUnwind can cause us to skip a ScriptDebugEpilogue.
Assignee | ||
Comment 3•13 years ago
|
||
One-line fix, 33 lines of tests. Great day. :)
Attachment #588309 -
Flags: review?(jorendorff)
Comment 4•13 years ago
|
||
Comment on attachment 588309 [details] [diff] [review]
Don't skip ScriptDebugEpilogue when an onExceptionUnwind handler throws an uncaught exception or terminates the debuggee.
I don't understand this code very well, but I don't think this is quite right. I think you also need:
>+ if (cx->isExceptionPending()) {
> pc = FindExceptionHandler(cx);
> if (pc)
> break;
>+ }
with appropriate re-indentation, of course, and an appropriate test.
These tests will fail to produce the desired situation if we ever change onExceptionUnwind error handling to match the spec (throw to the debuggee rather than terminate it) -- which I would really like to do!
So, though I hate to add more work on this fairly simple patch, I would appreciate tests that trigger the same behavior in a different way. You could use another Debugger to terminate the onExceptionUnwind hook-- but a more direct approach would be to add a terminate() function to the shell.
Clearing review flag.
Attachment #588309 -
Flags: review?(jorendorff)
Assignee | ||
Comment 5•13 years ago
|
||
Unless there's a pre-existing bug, I think it must be correct as written:
If a stub makes some call that is terminated, then the stub will call THROW(), and control will reach js_InternalThrow with no exception set. The whole call to Debugger::onExceptionUnwind will be skipped, and control then reaches the FindExceptionHandler call you mention. Since that's the path normally taken for termination, it must be okay if a termination caused by onExceptionUnwind takes that same path.
Oh, here's the answer: FindExceptionHandler checks cx->isExceptionPending.
Assignee | ||
Comment 6•13 years ago
|
||
I think a 'terminate' function in the shell would be awesome.
Assignee | ||
Comment 7•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #4)
> These tests will fail to produce the desired situation if we ever change
> onExceptionUnwind error handling to match the spec (throw to the debuggee
> rather than terminate it) -- which I would really like to do!
Are you confusing onExceptionUnwind and handleUncaughtException? In onExceptionUnwind-09.js, the onExceptionUnwind handler explicitly requests termination, which won't be affected by any improvements to the unhandled exception handling (now that's one that should be returned to the State Home For Unfortunate Noun Clauses).
Assignee | ||
Comment 8•13 years ago
|
||
Attachment #588656 -
Flags: review?(jorendorff)
Assignee | ||
Comment 9•13 years ago
|
||
Added test in which the onExceptionUnwind handler is explicitly terminated.
Attachment #588309 -
Attachment is obsolete: true
Attachment #588657 -
Flags: review?(jorendorff)
Comment 10•13 years ago
|
||
Comment on attachment 588656 [details] [diff] [review]
Add 'terminate' shell primitive.
OK. It's Really Too Bad that this results in a 0 exit code from the shell. Is that bug on file?
Attachment #588656 -
Flags: review?(jorendorff) → review+
Comment 11•13 years ago
|
||
Comment on attachment 588657 [details] [diff] [review]
Don't skip ScriptDebugEpilogue when an onExceptionUnwind handler throws an uncaught exception or terminates the debuggee.
I misread onExceptionUnwind-09. Oops. Yeah, this is great.
Attachment #588657 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 12•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #10)
> OK. It's Really Too Bad that this results in a 0 exit code from the shell.
> Is that bug on file?
Filed, bug 718786.
Assignee | ||
Comment 13•13 years ago
|
||
Assignee: jimb → blackconnect
Status: NEW → ASSIGNED
Component: JavaScript Engine → Java-Implemented Plugins
Flags: in-testsuite+
OS: Linux → All
QA Contact: general → blackconnect
Hardware: x86_64 → All
Target Milestone: --- → mozilla13
Assignee | ||
Comment 14•13 years ago
|
||
Try server run: https://tbpl.mozilla.org/?tree=Try&rev=3d5d769f323e
Assignee | ||
Comment 15•13 years ago
|
||
Thanks, bugzilla.
Assignee: blackconnect → general
Component: Java-Implemented Plugins → JavaScript Engine
QA Contact: blackconnect → general
Updated•13 years ago
|
Assignee: general → jimb
Comment 16•13 years ago
|
||
Target Milestone: mozilla13 → mozilla12
Comment 17•13 years ago
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•