Crash [@ js::Debugger::removeDebuggeeGlobal]

RESOLVED FIXED in mozilla38

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla38
ARM
Linux
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox38 affected)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-central revision 34e2d2bd7ec4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --enable-arm-simulator --disable-debug, run with --fuzzing-safe --no-threads):

var evalInFrame = (function (global) {
  var dbgGlobal = newGlobal();
  var dbg = new dbgGlobal.Debugger();
  return function evalInFrame(upCount, code) {
    dbg.addDebuggee(global);
    var frame = dbg.getNewestFrame().older;
    for (var i = 0; i < upCount; i++) {
      frame = frame.older;
    }
    var completion = frame.eval(code);
      terminate();
  };
})(this);
function h() {
    try {
        f();
    } catch (c) {}
    evalInFrame(1, "a.push(y)");
}
function g() {
    h();
}
function f() {
    g();
}
f();



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::Debugger::removeDebuggeeGlobal (this=0x92fc928, fop=fop@entry=0xffffc9b4, global=global@entry=(js::GlobalObject *) 0xf6743040 [object global] delegate, debugEnum=0x0) at js/src/vm/Debugger.cpp:3043
3043	        if (&frame.script()->global() == global) {
#0  js::Debugger::removeDebuggeeGlobal (this=0x92fc928, fop=fop@entry=0xffffc9b4, global=global@entry=(js::GlobalObject *) 0xf6743040 [object global] delegate, debugEnum=0x0) at js/src/vm/Debugger.cpp:3043
#1  0x08465941 in js::Debugger::detachAllDebuggersFromGlobal (fop=0xffffc9b4, global=(js::GlobalObject *) 0xf6743040 [object global] delegate) at js/src/vm/Debugger.cpp:2316
#2  0x08399b00 in sweepGlobalObject (fop=0xffffc9b4, this=0x933b120) at js/src/jscompartment.cpp:565
#3  sweepGlobalObject (fop=0xffffc9b4, this=0x933b120) at js/src/jsgc.cpp:4934
#4  js::gc::GCRuntime::beginSweepingZoneGroup (this=this@entry=0x92c7e08) at js/src/jsgc.cpp:5003
#5  0x083a7969 in js::gc::GCRuntime::beginSweepPhase (this=0x92c7e08, lastGC=false) at js/src/jsgc.cpp:5169
#6  0x083b6c77 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x92c7e08, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:5888
#7  0x083b75ce in js::gc::GCRuntime::gcCycle (this=this@entry=0x92c7e08, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6083
#8  0x083b790e in js::gc::GCRuntime::collect (this=this@entry=0x92c7e08, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6208
#9  0x083b8090 in js::gc::GCRuntime::gc (this=0x92c7e08, gckind=GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6269
#10 0x083b82ce in js::DestroyContext (cx=cx@entry=0x92dda60, mode=mode@entry=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:261
#11 0x083b8557 in JS_DestroyContext (cx=0x92dda60) at js/src/jsapi.cpp:778
#12 0x0805d296 in DestroyContext (withGC=true, cx=0x92dda60) at js/src/shell/js.cpp:5357
#13 main (argc=4, argv=0xffffced4, envp=0xffffcee8) at js/src/shell/js.cpp:6088
eax	0x0	0
ebx	0x92b6ff4	153841652
ecx	0x92fc980	154126720
edx	0xf6760100	-160038656
esi	0x9302368	154149736
edi	0x93023c8	154149832
ebp	0x934eb83	154463107
esp	0xffffc840	4294953024
eip	0x8465675 <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::GlobalObject* const, js::HashSet<js::GlobalObject*, js::DefaultHasher<js::GlobalObject*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Enum*)+117>
=> 0x8465675 <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::GlobalObject* const, js::HashSet<js::GlobalObject*, js::DefaultHasher<js::GlobalObject*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Enum*)+117>:	mov    0x2c(%eax),%eax
   0x8465678 <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::GlobalObject* const, js::HashSet<js::GlobalObject*, js::DefaultHasher<js::GlobalObject*>, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Enum*)+120>:	mov    0x34(%eax),%ecx
(Assignee)

Comment 1

3 years ago
I can repro this on x86 (but not x64) as well, so not ARM-only.
(Assignee)

Comment 2

3 years ago
(In reply to Shu-yu Guo [:shu] from comment #1)
> I can repro this on x86 (but not x64) as well, so not ARM-only.

The bug is indeed not ARM-only, but I can't come up with a non-ARM simulator testcase.
(Assignee)

Comment 3

3 years ago
Created attachment 8554102 [details] [diff] [review]
Clean up Debugger.Frames when the debug mode in-place Ion bailout fails.

The ARM simulator's stack limit makes this easier to trigger. I can't really
come up with that fails reliably otherwise.
Attachment #8554102 - Flags: review?(jdemooij)
(Assignee)

Updated

3 years ago
Assignee: nobody → shu
Comment on attachment 8554102 [details] [diff] [review]
Clean up Debugger.Frames when the debug mode in-place Ion bailout fails.

Review of attachment 8554102 [details] [diff] [review]:
-----------------------------------------------------------------

Good find.
Attachment #8554102 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/58222952d073
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.