Closed Bug 744730 Opened 13 years ago Closed 13 years ago

[jsdbg2] Assertion failure: uint32_t(prevpc_ - prev_->script()->code) < prev_->script()->length, at js/src/vm/Stack-inl.h:108

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

v1
1.87 KB, patch
jimb
: review+
Details | Diff | Splinter Review
The following code asserts on mozilla-central revision 3fa30b0edd15 (options -n -m -a): var g = newGlobal('new-compartment'); var dbg = Debugger(g); dbg.onDebuggerStatement = function (stack) { return {return: 1234}; }; g.eval("function f() { debugger; }"); g.eval("function g() { f(); }"); g.eval("function h() { g(); }"); g.eval("function i() { h(); }"); function logger(frame, mark) { return function (completion) { }; } dbg.onEnterFrame = function handleEnter(f) { f.onPop = logger(f, f.callee.name + ")"); }; g.i();
Still occurs (with --no-ion -m -n -a): var g = newGlobal('new-compartment'); var dbg = Debugger(g); dbg.onDebuggerStatement = function (f) { return {return: 1234}; }; dbg.onEnterFrame = function (f) { f.onPop = function () {}; }; g.eval("debugger;"); onPop hooks are strange. They cause us to re-enter the interpreter from js::ScriptDebugEpilogue. We re-enter via Invoke, which asserts that the previous frame's prevpc_ is in the right range; in this case the previous frame is g.eval (the one being popped) and prevpc_ is NULL and *prev_->script() is full of garbage.
Disregard the last paragraph of comment 1. Here's what's really happening. TrampolineCompiler::generateForceReturn calls masm.fallibleVMCall, passing NULL as the pc. masm.fallibleVMCall calls setupFallibleVMframe which faithfully emits code to set regs.pc = NULL. In this case, it happens that the value that was already there was correct. I think it always will be, in the forceReturn path. The "obvious" fix of emitting the code to set regs.pc only if we have a non-null pc to store there seems to work. I'll post the patch Monday. Maybe there's a better way though?
Attached patch v1Splinter Review
Assignee: general → jorendorff
Attachment #687749 - Flags: review?(jimb)
Comment on attachment 687749 [details] [diff] [review] v1 Review of attachment 687749 [details] [diff] [review]: ----------------------------------------------------------------- This looks good. However, the comments atop fallibleVMCall and its subroutines should be changed to document that a NULL pc value means "current regs can be trusted"; that's part of their interface now, so it should appear there, not in the body. Thanks for the fix! I'm a little disturbed our existing tests didn't catch this.
Attachment #687749 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/3b2331322084
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: