Closed Bug 876226 Opened 11 years ago Closed 11 years ago

Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp or Assertion failure: space().firstUnused() == seg_->invokeArgsEnd(), at vm/Stack.cpp or Assertion failure: regs_, or Assertion failure: cx->maybeRegs() == &regs_,

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24

People

(Reporter: gkw, Assigned: jandem)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:])

Attachments

(4 files, 1 obsolete file)

stack
3.84 KB, text/plain
Details
stack for second assertion
6.61 KB, text/plain
Details
Patch
3.73 KB, patch
luke
: review+
Details | Diff | Splinter Review
[crash-signature] Machine-readable crash signature
2.06 KB, text/plain
Details
Attached file stack 
evaluate("()", {
    saveFrameChain: true
});

asserts js debug shell on m-c changeset 0fed3377c839 without any CLI arguments at Assertion failure: hasfp(), at vm/Stack.h

The simplicity of this testcase is causing it to show up repeatedly in jsfunfuzz.
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
A similar testcase:

evaluate(")", {
    newContext: new Set,
    saveFrameChain: true
});

causes Assertion failure: !seg_, at vm/Stack.cpp
Summary: Assertion failure: hasfp(), at vm/Stack.h → Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp
Run the testcase in comment 0 with --baseline-eager --no-ti --no-ion and you will get yet another assert: Assertion failure: space().firstUnused() == seg_->invokeArgsEnd(), at vm/Stack.cpp
Summary: Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp → Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp or Assertion failure: space().firstUnused() == seg_->invokeArgsEnd(), at vm/Stack.cpp
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   132897:e00506a9478f
user:        Jan de Mooij
date:        Fri May 24 14:03:36 2013 +0200
summary:     Bug 875473 - Add saveFrameChain option to shell evaluate function. r=luke
Blocks: 875473
Flags: needinfo?(jdemooij)
(function() {
    evaluate("(7)(1)", {
        catchTermination: x = 1,
        saveFrameChain: true
    })
})()

Assertion failure: regs_, at vm/Stack.h

evaluate("(7)(1)", {
    catchTermination: x = 1,
    saveFrameChain: true
})

Assertion failure: cx->maybeRegs() == &regs_, at jscntxtinlines.h
Summary: Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp or Assertion failure: space().firstUnused() == seg_->invokeArgsEnd(), at vm/Stack.cpp → Assertion failure: hasfp(), at vm/Stack.h or Assertion failure: !seg_, at vm/Stack.cpp or Assertion failure: space().firstUnused() == seg_->invokeArgsEnd(), at vm/Stack.cpp or Assertion failure: regs_, or Assertion failure: cx->maybeRegs() == &regs_,
evaluate("u", {
    catchTermination: (/x/ != 4),
    saveFrameChain: true
})
this.a

Crash [@ js::PropertyCache::fullTest] when passed in as a CLI argument.
s = newGlobal('')
try {
    evalcx("\
           Object.defineProperty(this, \"v1\", {\
                get: function() {\
                    return evaluate(\")\", {\
                        saveFrameChain: x\
                    })\
                }\
            });\
            ((x) =__defineGetter__(\"\", (function() {})))\
            (uneval(v1))\
           ", s)
} catch (e) {}
evalcx("\
    (x=[]);\
    for(v of v1) {}\
", s)

Assertion failure: cx->compartment == oldCompartment, at jscompartment.h
evalcx("\
    let z = 0;\
    z += 'x';\
    for (var v of z) {\
        y = evaluate(\"Object.defineProperty(this,\\\"y\\\",{ \
                            get:  function() {} \
                        } );\", { \
                            catchTermination: true,\
                            saveFrameChain: true\
                        }\
                    );\
        }",
    newGlobal('')
)

Assertion failure: scope == cx->global(), at jsinterpinlines.h
Attached patch Patch (obsolete) — Splinter Review 
Shell-only problem. We have to restore the frame chain if the evaluate function fails. The patch adds a RAII class to do this.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #754405 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review 

        Attachment #754405 -
        Attachment is obsolete: true

        Attachment #754405 -
        Flags: review?(luke)

        Attachment #754409 -
        Flags: review?(luke)

    
  

        Attachment #754409 -
        Flags: review?(luke) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2cac52a99419
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: