Closed Bug 749697 Opened 9 years ago Closed 9 years ago

Assertion failure: cx->stack.containsSlow(fp)

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla15

People

(Reporter: past, Assigned: jorendorff)

References

Details

Attachments

(2 files)

STR:

1) Apply patches in bug 723062 and bug 724862 on top of fx-team.
2) Visit http://htmlpad.org/debugger/
3) Open the debugger.
4) Set a breakpoint in line 12 of the debugger/ script.
5) Click on 'Click me!'.
6)In the variables pane, change the value of 'a' to 2 and hit ENTER.
7) Boom.

Crash data:

http://past.pastebin.mozilla.org/1601020
Jason, this still happens in fx-team tip, although the line is the previous one:

Assertion failure: cx->stack.containsSlow(fp), at /Users/past/src/fx-team/js/src/jsdbgapi.cpp:557
The funny thing about this is that the frame must already have passed the assertion in THIS_FRAME() that StackContains(cx, fp). It's not immediately clear what difference there is between the two; I'll look closer tomorrow.
Assignee: general → jorendorff
Status: I reproduced this, filed bug 755808 to make this testable in the shell, wrote a shell test case, figured out why it's crashing, and asked luke what to do. Now trying to actually do that. Here's the test (but you need the patch in bug 755808 to make the test run).


// frame.eval can evaluate code in a frame pushed in another context. Bug 749697.

// In other words, the debugger can see all frames on the stack, even though
// each frame is attached to a particular JSContext and multiple JSContexts may
// have frames on the stack.

var g = newGlobal('new-compartment');
g.eval('function f(a) { debugger; evaluate("debugger;", {newContext: true}); }');

var dbg = new Debugger(g);
var hits = 0;
dbg.onDebuggerStatement = function (frame1) {
    dbg.onDebuggerStatement = function (frame2) {
        assertEq(frame1.eval("a").return, 31);
        hits++;
    };
};

g.f(31);
assertEq(hits, 1);
Weaken this particular assertion. Not a full fix, but a necessary first step.

I decided to use AllFramesIter in the debug-only containsSlow(fp) method because StackSegment::contains(fp) isn't tight enough to use in that assert.
Attachment #624469 - Flags: review?(luke)
Attachment #624469 - Flags: review?(luke) → review+
Attachment #624472 - Flags: review?(luke)
Attachment #624469 - Attachment description: v1 → v1, part 1 - weaken the failing assertion
Comment on attachment 624472 [details] [diff] [review]
v1, part 2 - the fix and tests

Review of attachment 624472 [details] [diff] [review]:
-----------------------------------------------------------------

Well that was easy ;)
Attachment #624472 - Flags: review?(luke) → review+
Depends on: 755808
https://hg.mozilla.org/mozilla-central/rev/64a08b7fbbb7
https://hg.mozilla.org/mozilla-central/rev/7af988cb3ad9
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.