Closed Bug 973566 Opened 6 years ago Closed 6 years ago

[jsdbg2] Assertion failure: offsetsv.isUndefined(), at vm/Debugger.cpp:3381

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox30 --- affected

People

(Reporter: decoder, Assigned: jorendorff)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files)

The following testcase asserts on mozilla-central revision 2bddbd180d2d (run with --fuzzing-safe):


Object.prototype[1] = 'peek';
var g = newGlobal();
var dbg = Debugger(g);
dbg.onEnterFrame = function (frame) {
    var lines = frame.script.getAllOffsets();
};
g.eval("1;");
Whiteboard: [jsbugmon:update,bisect]
Assignee: nobody → jorendorff
Attachment #8377725 - Flags: review?(jimb)
Change two other call sites to use the new, simpler js::HasOwnProperty API. (The rest make use of the Shape outparam at least.)
Attachment #8377736 - Flags: review?(jimb)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140204131033" and the hash "326a283714a8".
The "bad" changeset has the timestamp "20140204132432" and the hash "2c84be838689".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=326a283714a8&tochange=2c84be838689
Comment on attachment 8377725 [details] [diff] [review]
bug-973566-Debugger-v1.patch

Review of attachment 8377725 [details] [diff] [review]:
-----------------------------------------------------------------

In other words, "Don't check the prototype chain"? Seems reasonable.

::: js/src/vm/Debugger.cpp
@@ -3383,5 @@
>                  /*
>                   * Create an empty offsets array for this line.
>                   * Store it in the result array.
>                   */
> -                RootedId id(cx);

Is the removal of this variable just an optimization, or is it needed for correctness in some way that I am not noticing? If the removal is just an optimization, then let's leave the declaration in in, because it makes it much clearer that the two ids are unrelated.
Attachment #8377725 - Flags: review?(jimb) → review+
Comment on attachment 8377736 [details] [diff] [review]
bug-973566-part-2-followup-v1.patch

Review of attachment 8377736 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsobj.h
@@ +1286,5 @@
>                         owner->getDenseElements() + clampedStart, "element");
>  }
>  #endif
>  
> +/* Determine whether obj has an own property with the given id. */

nit: If you're going to comment at all, why not actually spell it out? "Set |*resultp| to indicate whether |obj| has an own property named |id|."
Attachment #8377736 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/5d7c2275e346
https://hg.mozilla.org/mozilla-central/rev/b130f02b5151
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.