Closed Bug 1100316 Opened 5 years ago Closed 5 years ago

Assertion failure: frame.isDebuggee(), at vm/Debugger-inl.h

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox36 --- affected

People

(Reporter: gkw, Assigned: shu)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 1 obsolete file)

// Random chosen test: js/src/jit-test/tests/debug/resumption-03.js
g = newGlobal()
g.debuggeeGlobal = this
g.eval("(" + function() {
    dbg = new Debugger(debuggeeGlobal);
    dbg.onDebuggerStatement = function() {}
} + ")()")
// jsfunfuzz-generated code
for (c in (function() {
    yield
})()) h

asserts js debug shell on m-c changeset a52bf59965a0 with --ion-eager --no-threads at Assertion failure: frame.isDebuggee(), at vm/Debugger-inl.h.

Debug configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

This was found by combining random jit-tests together with jsfunfuzz. The specific file, which was run with random flag combinations, is:

http://hg.mozilla.org/mozilla-central/file/a52bf59965a0/js/src/jit-test/tests/debug/resumption-03.js

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b160657339f8
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:39 2014 -0800
summary:     Bug 1032869 - Part 2: Move debuggee-ness to frames and selectively deoptimize when Debugger needs to observe execution. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/bb2f13ba7b1c
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1062629 - Off-thread compartment debug mode should match main thread compartment debug mode. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/1176cc3c3b34
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063328 - Fix on-stack live iterator handling when bailing out in-place due to debug mode OSR. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/f8e316fa65bb
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1063330 - Remove the JS shell's evalInFrame. (r=jimb)

changeset:   https://hg.mozilla.org/mozilla-central/rev/96a2f59f6ce4
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:40 2014 -0800
summary:     Bug 1032869 - Part 3: Don't consider onExceptionUnwind an all-execution-observing hook. (r=jandem)

changeset:   https://hg.mozilla.org/mozilla-central/rev/06d07689a043
user:        Shu-yu Guo
date:        Thu Nov 13 14:39:41 2014 -0800
summary:     Bug 1032869 - Part 4: Add an auto-updated DebugModeOSRVolatileJitFrameIterator. (r=jandem)

Shu-yu, is bug 1032869 or bug 1063330 a likely regressor?
Flags: needinfo?(shu)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x557144, 0x00000001006b73c4 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::mainThread(this=<unavailable>) const + 28 at Stack.h:1098, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001006b73c4 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::mainThread(this=<unavailable>) const + 28 at Stack.h:1098
    frame #1: 0x00000001006b73a8 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool) [inlined] JSContext::interpreterFrame() const at jscntxt.h:513
    frame #2: 0x00000001006b73a8 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::Debugger::onLeaveFrame(cx=<unavailable>, frame=(ptr_ = 140734799796866), ok=<unavailable>) + 856 at Debugger-inl.h:17
    frame #3: 0x00000001004238a6 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::DebugEpilogue(cx=0x0000000101d01b90, frame=0x00007fff5fbfda80, pc=<unavailable>, ok=true) + 294 at VMFunctions.cpp:802
    frame #4: 0x000000010031c313 js-dbg-opt-64-dm-nsprBuild-darwin-a52bf59965a0`js::jit::HandleClosingGeneratorReturn(JSContext*, js::jit::JitFrameIterator const&, unsigned char*, unsigned char*, js::jit::ResumeFromException*, bool*) [inlined] js::jit::ForcedReturn(cx=0x0000000101d01b90, frame=<unavailable>, pc=0x0000000101b3809f) + 38 at IonFrames.cpp:516
(lldb)
Whiteboard: [jsbugmon: update] → [jsbugmon:update]
JSOP_DEBUGAFTERYIELD was only catching the 'next' case.
Attachment #8524119 - Flags: review?(jdemooij)
Assignee: nobody → shu
Flags: needinfo?(shu)
Forgot to commit code...
Attachment #8524119 - Attachment is obsolete: true
Attachment #8524119 - Flags: review?(jdemooij)
Attachment #8524222 - Flags: review?(jdemooij)
Comment on attachment 8524222 [details] [diff] [review]
Mark resumed BaselineFrames as debuggee when resuming from generator throw/close.

Review of attachment 8524222 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit-test/tests/debug/execution-observability-02.js
@@ +4,5 @@
> +var g = newGlobal();
> +var dbg = new Debugger(g);
> +
> +var hits = 0;
> +dbg.onEnterFrame = function (f) { hits++; };

Does the test fail without the patch? Since we don't call onEnterFrame when resuming a generator..

(Alternative is gen.throw(<val>) with an onExceptionUnwind hook, maybe.)
Attachment #8524222 - Flags: review?(jdemooij) → review+
(In reply to Jan de Mooij [:jandem] from comment #4)
> Comment on attachment 8524222 [details] [diff] [review]
> Mark resumed BaselineFrames as debuggee when resuming from generator
> throw/close.
> 
> Review of attachment 8524222 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: js/src/jit-test/tests/debug/execution-observability-02.js
> @@ +4,5 @@
> > +var g = newGlobal();
> > +var dbg = new Debugger(g);
> > +
> > +var hits = 0;
> > +dbg.onEnterFrame = function (f) { hits++; };
> 
> Does the test fail without the patch? Since we don't call onEnterFrame when
> resuming a generator..
> 

Yeah, it asserts when leaving the frame. The onEnterFrame there is really to put the compartment into the "debugger observing everything" mode, which trips an assert when leaving frames that checks for parity between the compartment observing everything and frames being marked debuggee.
(In reply to Shu-yu Guo [:shu] from comment #5)
> The onEnterFrame there is really to
> put the compartment into the "debugger observing everything" mode, which
> trips an assert when leaving frames that checks for parity between the
> compartment observing everything and frames being marked debuggee.

Ah, great idea to assert that.
https://hg.mozilla.org/mozilla-central/rev/41b6e6ea91a9
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.