[jsdbg2] Assertion failure: !script->getGlobalObjectOrNull(), at js/src/vm/Debugger.cpp:2121

VERIFIED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
Type:
defect
Importance:
--
critical
Status:
VERIFIED FIXED
Opened:
7 years ago
Updated:
7 years ago

People

(Reporter: decoder, Assigned: jorendorff)

Tracking

(Blocks 1 bug, {assertion, testcase})

Version:
Trunk
Platform:
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:]) 

The following code asserts on mozilla-central revision 3fa30b0edd15 (options -n -m -a):


var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
    for (var f = frame; f; f = f.older) {
        if (f.type === "call" && f.script !== null)
            (assertEq(dbg.findScripts().length, 0));
        assertEq(frame.eval("x();"), null);
}     
};
g.eval("function z() { debugger; }");
g.eval("function y() { z(); }");
g.eval("function x() { y(); }");
assertEq(g.eval("debugger; 'ok';"), "ok");
Doesn't reproduce. Maybe fixed? Bisecting.
Assignee: general → jorendorff
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,bisectfix]
Unless it's just sporadic, we have:

The first good revision is:
changeset:   95772:b863ef9946b8
user:        Luke Wagner <luke@mozilla.com>
date:        Thu Feb 23 13:59:10 2012 -0800
summary:     Bug 659577 - Don't alias stack variables (r=bhackett)

The relevant change was in Debugger.cpp:

>@@ -3370,6 +3376,7 @@ js::EvaluateInEnv
>     if (!script)
>         return false;
> 
>+    script->isActiveEval = true;
>     return ExecuteKernel(cx, script, *env, fp->thisValue(), EXECUTE_DEBUG, fp, rval);
> }

In other words, Debugger.Frame.eval() and Debugger.Object.evalInGlobal() scripts are now marked as eval scripts.

I'm not sure why luke changed this, but it definitely fixed this specific bug.

Minimized test case:
var g = newGlobal('new-compartment');
var dbg = Debugger(g);
dbg.onDebuggerStatement = function (frame) {
    dbg.onDebuggerStatement = function (frame) {
        dbg.findScripts();
    };
    frame.eval("debugger;");
};
g.eval("debugger;");

I'll check in the passing test and close the bug.
(In reply to Jason Orendorff [:jorendorff] from comment #2)
> Unless it's just sporadic, we have:

Oops stray line; I should've revised it out when I realized the bug isn't sporadic and everything totally makes sense.
Pushed tests.

http://hg.mozilla.org/integration/mozilla-inbound/rev/2cf3cca4171e
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Fix is known, updating JSBugMon, in lieu of tests landing, marking in-testsuite+ and VERIFIED.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Whiteboard: [jsbugmon:update,bisect,bisectfix] → [jsbugmon:]
"in lieu of" means "instead of".

"in light of" something means taking it into consideration.
(In reply to Jason Orendorff [:jorendorff] from comment #6)
> "in lieu of" means "instead of".
> 
> "in light of" something means taking it into consideration.

Oops, I definitely meant the latter, I guess.
You need to log in before you can comment on or make changes to this bug.