Assertion failure: cx->stack.containsSlow(fp)

RESOLVED FIXED in mozilla15



JavaScript Engine
5 years ago
5 years ago


(Reporter: past, Assigned: jorendorff)


Mac OS X
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)



(2 attachments)


1) Apply patches in bug 723062 and bug 724862 on top of fx-team.
2) Visit
3) Open the debugger.
4) Set a breakpoint in line 12 of the debugger/ script.
5) Click on 'Click me!'.
6)In the variables pane, change the value of 'a' to 2 and hit ENTER.
7) Boom.

Crash data:
Jason, this still happens in fx-team tip, although the line is the previous one:

Assertion failure: cx->stack.containsSlow(fp), at /Users/past/src/fx-team/js/src/jsdbgapi.cpp:557

Comment 2

5 years ago
The funny thing about this is that the frame must already have passed the assertion in THIS_FRAME() that StackContains(cx, fp). It's not immediately clear what difference there is between the two; I'll look closer tomorrow.
Assignee: general → jorendorff

Comment 3

5 years ago
Status: I reproduced this, filed bug 755808 to make this testable in the shell, wrote a shell test case, figured out why it's crashing, and asked luke what to do. Now trying to actually do that. Here's the test (but you need the patch in bug 755808 to make the test run).

// frame.eval can evaluate code in a frame pushed in another context. Bug 749697.

// In other words, the debugger can see all frames on the stack, even though
// each frame is attached to a particular JSContext and multiple JSContexts may
// have frames on the stack.

var g = newGlobal('new-compartment');
g.eval('function f(a) { debugger; evaluate("debugger;", {newContext: true}); }');

var dbg = new Debugger(g);
var hits = 0;
dbg.onDebuggerStatement = function (frame1) {
    dbg.onDebuggerStatement = function (frame2) {
        assertEq(frame1.eval("a").return, 31);

assertEq(hits, 1);

Comment 4

5 years ago
Created attachment 624469 [details] [diff] [review]
v1, part 1 - weaken the failing assertion

Weaken this particular assertion. Not a full fix, but a necessary first step.

I decided to use AllFramesIter in the debug-only containsSlow(fp) method because StackSegment::contains(fp) isn't tight enough to use in that assert.
Attachment #624469 - Flags: review?(luke)


5 years ago
Attachment #624469 - Flags: review?(luke) → review+

Comment 5

5 years ago
Created attachment 624472 [details] [diff] [review]
v1, part 2 - the fix and tests
Attachment #624472 - Flags: review?(luke)


5 years ago
Attachment #624469 - Attachment description: v1 → v1, part 1 - weaken the failing assertion

Comment 6

5 years ago
Comment on attachment 624472 [details] [diff] [review]
v1, part 2 - the fix and tests

Review of attachment 624472 [details] [diff] [review]:

Well that was easy ;)
Attachment #624472 - Flags: review?(luke) → review+


5 years ago
Depends on: 755808

Comment 7

5 years ago
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.