Closed Bug 934998 Opened 11 years ago Closed 4 months ago

Assertion failure: analyzedArgsUsage(), at js/src/jsscript.h:698

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: past, Unassigned)

References

Details

(Keywords: assertion)

Attachments

(1 file)

Crash log
109.29 KB, text/plain
Details
Attached file Crash log 
I got this assertion twice so far, while playing with the Tracer UI which is a work in progress. It's not very common, but it may be triggered more easily when I open the debugger and start tracing before the page is fully loaded. The page in question was:

http://www.mozilla.org/en-US/

This is a debug build, but with optimizations enabled, so some inlining may have occurred. Top of the stack:

0  DebuggerArguments_getArg(JSContext*, unsigned int, JS::Value*) + 2112 (jsobj.h:1156)
1  js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 94 (jscntxtinlines.h:220)
2  js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 580 (Interpreter.cpp:456)
3  js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 451 (Interpreter.cpp:513)
4  js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 111 (Interpreter.cpp:584)
5  js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) + 81 (Shape-inl.h:66)
6  bool NativeGetInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 371 (jsobj.cpp:4130)
7  bool GetPropertyHelperInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) + 259 (jsobj.cpp:4320)
8  js::baseops::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) + 9 (jsobj.cpp:4330)
9  JSObject::getElementIfPresent(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, unsigned int, JS::MutableHandle<JS::Value>, bool*) + 447 (jsobj.h:991)
10 bool GetElement<unsigned int>(JSContext*, JS::Handle<JSObject*>, unsigned int, bool*, JS::MutableHandle<JS::Value>) + 265 (jsarray.cpp:180)
11 array_slice(JSContext*, unsigned int, JS::Value*) + 1151 (jsarray.cpp:2750)
12 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 94 (jscntxtinlines.h:220)
13 js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) + 580 (Interpreter.cpp:456)
14 js_fun_call(JSContext*, unsigned int, JS::Value*) + 549 (jsfun.cpp:892)
Also, I'm not sure if it's best to file debugger-related crashes in the debugger or JS component, so any advice would be appreciated.
(In reply to Panos Astithas [:past] from comment #1)
> Also, I'm not sure if it's best to file debugger-related crashes in the
> debugger or JS component, so any advice would be appreciated.

My understanding is that these belong in the JS Engine component, but I could be wrong.
JS Engine for sure.
Component: Developer Tools: Debugger → JavaScript Engine
Product: Firefox → Core
Haven't seen this enough to justify keeping the tracer from shipping pref'd off.
No longer blocks: 929349
Depends on: 929349
Probably just needs a |script->analyzedArgsUsage() && frame.hasArgsObj()| instead of a bare |frame.hasArgsObj()|
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: