Closed Bug 1102549 Opened 5 years ago Closed 5 years ago

Assertion failure: status == JSTRAP_CONTINUE, at js/src/vm/Debugger.cpp:1678

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox36 --- affected

People

(Reporter: decoder, Assigned: fitzgen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision aa72ddfe9f93 (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe):

var g = newGlobal();
var dbg = new Debugger(g);
dbg.onPromiseSettled = function (g) { log += 's'; throw "foopy"; };
g.settleFakePromise(g.makeFakePromise());



Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x08672c83 in js::Debugger::slowPathPromiseHook (cx=cx@entry=0x9fc8fb8, 
    hook=hook@entry=js::Debugger::OnPromiseSettled, promise=promise@entry=...)
    at js/src/vm/Debugger.cpp:1678
1678	    MOZ_ASSERT(status == JSTRAP_CONTINUE);
#0  0x08672c83 in js::Debugger::slowPathPromiseHook (cx=cx@entry=0x9fc8fb8, hook=hook@entry=js::Debugger::OnPromiseSettled, promise=promise@entry=...) at js/src/vm/Debugger.cpp:1678
#1  0x08672e5a in JS::dbg::onPromiseSettled (cx=cx@entry=0x9fc8fb8, promise=promise@entry=...) at js/src/vm/Debugger.cpp:7256
#2  0x081352d8 in SettleFakePromise (cx=0x9fc8fb8, argc=1, vp=0xff866f24) at js/src/builtin/TestingFunctions.cpp:1000
#3  0x0867d99b in js::CallJSNative (cx=0x9fc8fb8, native=0x8135210 <SettleFakePromise(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:231
#4  0x0866088a in js::Invoke (cx=cx@entry=0x9fc8fb8, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:482
#5  0x08663f8f in js::Invoke (cx=cx@entry=0x9fc8fb8, thisv=..., fval=..., argc=1, argv=0xff867484, rval=...) at js/src/vm/Interpreter.cpp:538
#6  0x085f9936 in js::DirectProxyHandler::call (this=this@entry=0x958b284 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x9fc8fb8, proxy=proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:75
#7  0x0860362d in js::CrossCompartmentWrapper::call (this=0x958b284 <js::CrossCompartmentWrapper::singleton>, cx=0x9fc8fb8, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:296
#8  0x085f8992 in js::Proxy::call (cx=cx@entry=0x9fc8fb8, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:430
#9  0x085f8a3d in js::proxy_Call (cx=0x9fc8fb8, argc=1, vp=0xff867474) at js/src/proxy/Proxy.cpp:812
#10 0x0867d99b in js::CallJSNative (cx=0x9fc8fb8, native=0x85f89c0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:231
#11 0x0866088a in js::Invoke (cx=cx@entry=0x9fc8fb8, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:482
#12 0x08663f8f in js::Invoke (cx=cx@entry=0x9fc8fb8, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0xff86770c, rval=...) at js/src/vm/Interpreter.cpp:538
#13 0x082ea87f in js::jit::DoCallFallback (cx=0x9fc8fb8, frame=0xff86774c, stub_=0x9ff9328, argc=1, vp=0xff8676fc, res=...) at js/src/jit/BaselineIC.cpp:8986
eax	0x0	0
ebx	0x9594ff4	156848116
ecx	0xf755288c	-145414004
edx	0x0	0
esi	0x9fc8fb8	167546808
edi	0xff866b08	-7967992
ebp	0xff866b38	4286999352
esp	0xff866af0	4286999280
eip	0x8672c83 <js::Debugger::slowPathPromiseHook(JSContext*, js::Debugger::Hook, JS::Handle<JSObject*>)+227>
=> 0x8672c83 <js::Debugger::slowPathPromiseHook(JSContext*, js::Debugger::Hook, JS::Handle<JSObject*>)+227>:	movl   $0x7b,0x0
   0x8672c8d <js::Debugger::slowPathPromiseHook(JSContext*, js::Debugger::Hook, JS::Handle<JSObject*>)+237>:	call   0x804aa70 <abort@plt>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/1d0fd69c402d
user:        Nick Fitzgerald
date:        Mon Nov 17 10:43:00 2014 +0100
summary:     Bug 1084065 - Part 1: Add a Debugger.prototype.onPromiseSettled hook; r=shu

This iteration took 512.108 seconds to run.
Nick, is bug 1084065 a likely regressor?
Blocks: 1084065
Flags: needinfo?(nfitzgerald)
Yeah, will get a fix up soon.
Assignee: nobody → nfitzgerald
Flags: needinfo?(nfitzgerald)
Comment on attachment 8533330 [details] [diff] [review]
on-promise-settled-assertion-failure.patch

Review of attachment 8533330 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with comment addressed.

::: js/src/vm/Debugger.cpp
@@ +1696,5 @@
> +
> +      default:
> +        MOZ_CRASH("Invalid promise hook trap status");
> +    }
> +

Sorry I missed this. handleUncaughtException is kinda wonky. I don't think you need to assert anything here at all about the status and pending exception, actually. The status is going to be ignored anyways -- any non-JSTRAP_CONTINUE values come from there an error in the uncaught exception handler, which by design the hook ignores. Also, handleUncaughtException itself already clears the pending exception.

This function can probably just be cleaned up to |(void) dispatchHook(...)| with a comment saying it's infallible and we ignore errors from uncaught exceptions by design.
Attachment #8533330 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/dc0fcf005cf9
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.