Assertion failure: CanUseDebugScopeMaps(cx), at js/src/vm/ScopeObject.cpp

RESOLVED FIXED in mozilla17

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: past, Assigned: luke)

Tracking

Trunk
mozilla17
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Stack:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   js::DebugScopes::hasDebugScope(JSContext*, js::ScopeObject&) const + 79 (Utility.h:890)
1   GetDebugScopeForScope(JSContext*, JS::Handle<js::ScopeObject*>, js::ScopeIter const&) + 49 (ScopeObject.cpp:1847)
2   GetDebugScope(JSContext*, js::ScopeIter const&) + 915 (Utility.h:716)
3   js::GetDebugScopeForFrame(JSContext*, js::StackFrame*) + 171 (Utility.h:716)
4   JS_GetFrameCallObject + 116 (jsdbgapi.cpp:573)
5   xpc_PrintJSStack(JSContext*, int, int, int) + 3584 (XPCDebug.cpp:92)
6   xpc_DebuggerKeywordHandler(JSContext*, JSScript*, unsigned char*, JS::Value*, void*) + 71 (XPCDebug.cpp:267)
7   js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) + 80984 (jsinterp.cpp:3301)


This occurred quite a few times with the patch from bug 783393 applied. I haven't tested without it, yet. I was going back and forward between two or more pages in my browser history in the same tab, with the debugger open. The two pages most reliably causing the assertion were:
http://htmlpad.org/debugger/
http://htmlpad.org/debugger-with/

I'll see if I can get more precise STR tomorrow.

Full stack:
http://past.pastebin.mozilla.org/1770631
(Assignee)

Comment 1

5 years ago
Ah, DebugScopes::onCompartmentLeaveDebugMode clears the compartment from missingScopes and liveScopes, but not proxiedScopes.  I think this is technically fine, since proxiedScopes is a WeakMap and doesn't rely on any onPop* calls, but it would be more regular to clear it out like the others.  I'll put up a patch to test in a moment.
(Assignee)

Comment 2

5 years ago
Created attachment 654286 [details] [diff] [review]
fix

Panos, could you apply this patch and tell me if it makes the assert go away?
Assignee: general → luke
Status: NEW → ASSIGNED
I think you nailed it! I can't seem to trigger the assert no matter what I try.
(Assignee)

Comment 4

5 years ago
Comment on attachment 654286 [details] [diff] [review]
fix

Thanks Panos!
Attachment #654286 - Flags: review?(jimb)

Comment 5

5 years ago
Luke, can you construct a regression test for this, knowing what the fix is?

Updated

5 years ago
Attachment #654286 - Flags: review?(jimb) → review+
(Assignee)

Comment 6

5 years ago
(In reply to Jim Blandy :jimb from comment #5)
I'd like to, but to exercise the bug you need to call JS_GetDebugScopeForFrame outside debug mode which is only possible via JS_GetFrameCallObject called from xpc_PrintJSStack (via the xpc_DebuggerKeywordHandler).  In theory, I could add a bunch of shell function to call JS_GetFrameCallObject but JS_GetFrameCallObject should be removed (and the one use in XPConnect pulled inside the JS engine where it can be rewritten 10x more cleanly) so I'd rather not.
(Assignee)

Comment 7

5 years ago
(In reply to Luke Wagner [:luke] from comment #6)
> add a bunch of shell function

err, just one, not a bunch :)
(Assignee)

Comment 8

5 years ago
I'll push the fix for now to make sure this is in the next aurora uplift.  If you think it's important enough, we can subsequently work on a test-case.
https://hg.mozilla.org/integration/mozilla-inbound/rev/88d90921b348

Comment 9

5 years ago
(In reply to Luke Wagner [:luke] from comment #6)
> (In reply to Jim Blandy :jimb from comment #5)
> I'd like to, but to exercise the bug you need to call
> JS_GetDebugScopeForFrame outside debug mode which is only possible via
> JS_GetFrameCallObject called from xpc_PrintJSStack (via the
> xpc_DebuggerKeywordHandler).  In theory, I could add a bunch of shell
> function to call JS_GetFrameCallObject but JS_GetFrameCallObject should be
> removed (and the one use in XPConnect pulled inside the JS engine where it
> can be rewritten 10x more cleanly) so I'd rather not.

That sounds cool with me. Is there a follow-up bug filed for getting rid of JS_GetFrameCallObject (or something else that will ensure it gets done)?
(Assignee)

Comment 10

5 years ago
(In reply to Jim Blandy :jimb from comment #9)
Well, JS_GetFrameCallObject is in the same suck-ness class as JS_GetFrameScopeChain which is jsd's primary mechanism for obtaining scopes.  Until we switch FB to jsdbg2 and kill jsd we are stuck with them.  (Note: Firebug will be calling JS_GetFrameScopeChain with debugMode on, thus not being able to hit this bug.)
https://hg.mozilla.org/mozilla-central/rev/88d90921b348
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in before you can comment on or make changes to this bug.