The default bug view has changed. See this FAQ.

Assertion failure: cx->stack.containsSlow(fp)

RESOLVED FIXED in mozilla15

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: past, Assigned: jorendorff)

Tracking

Trunk
mozilla15
x86
Mac OS X
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

STR:

1) Apply patches in bug 723062 and bug 724862 on top of fx-team.
2) Visit http://htmlpad.org/debugger/
3) Open the debugger.
4) Set a breakpoint in line 12 of the debugger/ script.
5) Click on 'Click me!'.
6)In the variables pane, change the value of 'a' to 2 and hit ENTER.
7) Boom.

Crash data:

http://past.pastebin.mozilla.org/1601020
Jason, this still happens in fx-team tip, although the line is the previous one:

Assertion failure: cx->stack.containsSlow(fp), at /Users/past/src/fx-team/js/src/jsdbgapi.cpp:557
(Assignee)

Comment 2

5 years ago
The funny thing about this is that the frame must already have passed the assertion in THIS_FRAME() that StackContains(cx, fp). It's not immediately clear what difference there is between the two; I'll look closer tomorrow.
Assignee: general → jorendorff
(Assignee)

Comment 3

5 years ago
Status: I reproduced this, filed bug 755808 to make this testable in the shell, wrote a shell test case, figured out why it's crashing, and asked luke what to do. Now trying to actually do that. Here's the test (but you need the patch in bug 755808 to make the test run).


// frame.eval can evaluate code in a frame pushed in another context. Bug 749697.

// In other words, the debugger can see all frames on the stack, even though
// each frame is attached to a particular JSContext and multiple JSContexts may
// have frames on the stack.

var g = newGlobal('new-compartment');
g.eval('function f(a) { debugger; evaluate("debugger;", {newContext: true}); }');

var dbg = new Debugger(g);
var hits = 0;
dbg.onDebuggerStatement = function (frame1) {
    dbg.onDebuggerStatement = function (frame2) {
        assertEq(frame1.eval("a").return, 31);
        hits++;
    };
};

g.f(31);
assertEq(hits, 1);
(Assignee)

Comment 4

5 years ago
Created attachment 624469 [details] [diff] [review]
v1, part 1 - weaken the failing assertion

Weaken this particular assertion. Not a full fix, but a necessary first step.

I decided to use AllFramesIter in the debug-only containsSlow(fp) method because StackSegment::contains(fp) isn't tight enough to use in that assert.
Attachment #624469 - Flags: review?(luke)

Updated

5 years ago
Attachment #624469 - Flags: review?(luke) → review+
(Assignee)

Comment 5

5 years ago
Created attachment 624472 [details] [diff] [review]
v1, part 2 - the fix and tests
Attachment #624472 - Flags: review?(luke)
(Assignee)

Updated

5 years ago
Attachment #624469 - Attachment description: v1 → v1, part 1 - weaken the failing assertion

Comment 6

5 years ago
Comment on attachment 624472 [details] [diff] [review]
v1, part 2 - the fix and tests

Review of attachment 624472 [details] [diff] [review]:
-----------------------------------------------------------------

Well that was easy ;)
Attachment #624472 - Flags: review?(luke) → review+
(Assignee)

Updated

5 years ago
Depends on: 755808
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/64a08b7fbbb7
https://hg.mozilla.org/integration/mozilla-inbound/rev/7af988cb3ad9
https://hg.mozilla.org/mozilla-central/rev/64a08b7fbbb7
https://hg.mozilla.org/mozilla-central/rev/7af988cb3ad9
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.