Closed Bug 999655 Opened 10 years ago Closed 10 years ago

[jsdbg2] Assertion failure: analyzedArgsUsage(), at jsscript.h:1146

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox31 --- affected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase asserts on mozilla-central revision c962bde5ac0b (run with --fuzzing-safe):


var g = newGlobal();
var dbg = new Debugger(g);
dbg.onNewScript = function(script) {
    fscript = script.getChildScripts()[0];
}
g.eval("function f(x) { arguments[0] = 3; return x }");
fscript.setBreakpoint(0, {hit:function(frame) {
    assertEq(frame.arguments[0], (2));
}});
g.f(1);
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/4370f503d69f
user:        Brian Hackett
date:        Thu May 23 13:25:19 2013 -0600
summary:     Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.

This iteration took 275.807 seconds to run.
Still hitting this, needinfo from Brian based on comment 2.
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
I don't think this was caused by bug 875276.  For a while it's been the case that frames don't have arguments objects until JSOP_ARGUMENTS executes, and we don't analyze arguments usage until then either.  So if the debugger inspects a frame's arguments it should make sure the arguments usage has been analyzed.
Assignee: nobody → bhackett1024
Attachment #8501174 - Flags: review?(jorendorff)
Flags: needinfo?(bhackett1024)
Comment on attachment 8501174 [details] [diff] [review]
patch

Review of attachment 8501174 [details] [diff] [review]:
-----------------------------------------------------------------

Impressive that the fuzzer managed to hit this.

I don't know how anyone writing this kind of code was supposed to get this right. It seems pretty hopeless. At least we have an assertion there.

Please take a look at the comment on analyzedArgsUsage() (which says we do the analysis before running the script the first time).
Attachment #8501174 - Flags: review?(jorendorff) → review+
Fix, with the comment on analyzedArgsUsage() fixed too:

https://hg.mozilla.org/integration/mozilla-inbound/rev/f7ccff28c96f
https://hg.mozilla.org/mozilla-central/rev/f7ccff28c96f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Depends on: 1094827
You need to log in before you can comment on or make changes to this bug.