Closed Bug 1275012 Opened 8 years ago Closed 6 years ago

Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 with Debugger.Script.getOffsetLocation

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: decoder, Assigned: loganfsmyth)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:testComment=3,origRev=8ec327de0ba7])

The following testcase crashes on mozilla-central revision 16663eb3dcfa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): g = newGlobal() evaluate(` function lit() { debugger; switch(0) { case "nope": break; case 1: return; } } `, { 0: 0, global: g }); dbg = Debugger(g); function test(s) { dbg.onDebuggerStatement = function(frame) { frame.onStep = function() { this.script.getOffsetLocation(this.offset).lineNumber; } } g.eval(s); } test("lit()") Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000009f340f in DebuggerScript_getOffsetLocation (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5713 #0 0x00000000009f340f in DebuggerScript_getOffsetLocation (cx=0x7ffff6908c00, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:5713 #1 0x0000000000a6f312 in js::CallJSNative (cx=0x7ffff6908c00, native=0x9f2d80 <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #2 0x0000000000a6ba67 in js::InternalCallOrConstruct (cx=0x7ffff6908c00, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480 #3 0x0000000000a6bd4b in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525 #4 0x0000000000a6be5a in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:531 #5 0x0000000000d72061 in js::jit::DoCallFallback (cx=0x7ffff6908c00, frame=0x7fffffffab98, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffab40, res=...) at js/src/jit/BaselineIC.cpp:5973 #6 0x00007ffff7fe9f2f in ?? () [...] #30 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffa590 140737488332176 rcx 0x7ffff6ca5870 140737333844080 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffa610 140737488332304 rsp 0x7fffffffa430 140737488331824 r8 0x7ffff7fdf7c0 140737354004416 r9 0x0 0 r10 0x7fffffffa1f0 140737488331248 r11 0x7ffff6c27ee0 140737333329632 r12 0x0 0 r13 0x7fffffffa4b0 140737488331952 r14 0x7fffffffa4d0 140737488331984 r15 0x7fffffffa468 140737488331880 rip 0x9f340f <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1679> => 0x9f340f <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1679>: movl $0x1651,0x0 0x9f341a <DebuggerScript_getOffsetLocation(JSContext*, unsigned int, JS::Value*)+1690>: callq 0x4b2d30 <abort()>
Blocks: 1261826
Flags: needinfo?(nicolas.b.pierron)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/4bb616c2f912 user: Nicolas B. Pierron date: Tue May 17 17:15:52 2016 +0000 summary: Bug 1261826 part 8.1 - Make Debugger.Script.getOffsetLocation only consider entry point locations. r=shu This iteration took 224.350 seconds to run.
Flags: needinfo?(nicolas.b.pierron)
Priority: -- → P3
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
g = newGlobal()
evaluate(`
  function lit() {
    debugger;
    switch(0) {
      case "nope": break;
      case 1: return;
    }
  }
`, { 0: 0, global: g });
dbg = Debugger(g);
function test(s) {
    dbg.onDebuggerStatement = function(frame) {
        frame.onStep = function() {
            this.script.getOffsetLocation(this.offset).lineNumber;
        }
    }
    g.eval(s);
}
test("lit()")

asserts js shell compiled with --enable-debug on m-c rev 8ec327de0ba7 using --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments at Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:6387

Summary: Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 → Assertion failure: !r.empty(), at js/src/vm/Debugger.cpp:5713 with Debugger.Script.getOffsetLocation
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,testComment=3,origRev=8ec327de0ba7]

Also setting firefox66 as affected, and needinfo? from :jimb since this is Debugger-related.

status-firefox66: --- → affected
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update,testComment=3,origRev=8ec327de0ba7] → [jsbugmon:testComment=3,origRev=8ec327de0ba7]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/5c934ede1cfc
user: Logan Smyth
date: Wed Feb 13 02:31:00 2019 +0000
summary: Bug 1518661 - Part 5: Give SpiderMonkey well-defined sense of step and breakpoint locations. r=jimb,bhackett

Jim/Jason, is bug 1518661 a likely fix? (I can't seem to reproduce the testcase in comment 3 on m-c tip)

Flags: needinfo?(jorendorff)

Yes.

Flags: needinfo?(jorendorff)

Fixed by bug 1518661.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jimb)
Resolution: --- → FIXED
Assignee: nobody → lsmyth
status-firefox49: affected → ---
status-firefox-esr60: --- → wontfix
Depends on: breakpoint-specificity
You need to log in before you can comment on or make changes to this bug.