Closed
Bug 999655
Opened 11 years ago
Closed 10 years ago
[jsdbg2] Assertion failure: analyzedArgsUsage(), at jsscript.h:1146
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | affected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
628 bytes,
text/plain
|
Details | |
|
1.42 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision c962bde5ac0b (run with --fuzzing-safe):
var g = newGlobal();
var dbg = new Debugger(g);
dbg.onNewScript = function(script) {
fscript = script.getChildScripts()[0];
}
g.eval("function f(x) { arguments[0] = 3; return x }");
fscript.setBreakpoint(0, {hit:function(frame) {
assertEq(frame.arguments[0], (2));
}});
g.f(1);
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
status-firefox31:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/4370f503d69f
user: Brian Hackett
date: Thu May 23 13:25:19 2013 -0600
summary: Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem.
This iteration took 275.807 seconds to run.
|
|
Reporter | |
Comment 3•10 years ago
|
||
Still hitting this, needinfo from Brian based on comment 2.
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 4•10 years ago
|
||
I don't think this was caused by bug 875276. For a while it's been the case that frames don't have arguments objects until JSOP_ARGUMENTS executes, and we don't analyze arguments usage until then either. So if the debugger inspects a frame's arguments it should make sure the arguments usage has been analyzed.
Assignee: nobody → bhackett1024
Attachment #8501174 -
Flags: review?(jorendorff)
Flags: needinfo?(bhackett1024)
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8501174 [details] [diff] [review]
patch
Review of attachment 8501174 [details] [diff] [review]:
-----------------------------------------------------------------
Impressive that the fuzzer managed to hit this.
I don't know how anyone writing this kind of code was supposed to get this right. It seems pretty hopeless. At least we have an assertion there.
Please take a look at the comment on analyzedArgsUsage() (which says we do the analysis before running the script the first time).
Attachment #8501174 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
Fix, with the comment on analyzedArgsUsage() fixed too:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7ccff28c96f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•