Closed Bug 744730 Opened 12 years ago Closed 12 years ago

[jsdbg2] Assertion failure: uint32_t(prevpc_ - prev_->script()->code) < prev_->script()->length, at js/src/vm/Stack-inl.h:108

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

v1
1.87 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following code asserts on mozilla-central revision 3fa30b0edd15 (options -n -m -a):


var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (stack) { return {return: 1234}; };
g.eval("function f() { debugger; }");
g.eval("function g() { f(); }");
g.eval("function h() { g(); }");
g.eval("function i() { h(); }");
function logger(frame, mark) { 
    return function (completion) {
    };
}
dbg.onEnterFrame = function handleEnter(f) {
    f.onPop = logger(f, f.callee.name + ")");  
};
g.i();
Still occurs (with --no-ion -m -n -a):

var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (f) { return {return: 1234}; };
dbg.onEnterFrame = function (f) {
    f.onPop = function () {};
};
g.eval("debugger;");



onPop hooks are strange. They cause us to re-enter the interpreter from js::ScriptDebugEpilogue.

We re-enter via Invoke, which asserts that the previous frame's prevpc_ is in the right range; in this case the previous frame is g.eval (the one being popped) and prevpc_ is NULL and *prev_->script() is full of garbage.
Disregard the last paragraph of comment 1. Here's what's really happening.

TrampolineCompiler::generateForceReturn calls masm.fallibleVMCall, passing NULL as the pc.

masm.fallibleVMCall calls setupFallibleVMframe which faithfully emits code to set regs.pc = NULL. In this case, it happens that the value that was already there was correct. I think it always will be, in the forceReturn path.

The "obvious" fix of emitting the code to set regs.pc only if we have a non-null pc to store there seems to work. I'll post the patch Monday. Maybe there's a better way though?
Attached patch v1Splinter Review 
Assignee: general → jorendorff

        Attachment #687749 -
        Flags: review?(jimb)

    
    

    
  
Comment on attachment 687749 [details] [diff] [review]
v1

Review of attachment 687749 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good. However, the comments atop fallibleVMCall and its subroutines should be changed to document that a NULL pc value means "current regs can be trusted"; that's part of their interface now, so it should appear there, not in the body.

Thanks for the fix! I'm a little disturbed our existing tests didn't catch this.

        Attachment #687749 -
        Flags: review?(jimb) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/3b2331322084
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: