Assertion failure: hasScript(), at js/src/shell/../jsfun.h:322 with Debugger

VERIFIED FIXED in Firefox 39, Firefox OS master

Status

()

--
critical
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: decoder, Assigned: shu)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla40
x86_64
Linux
assertion, regression, sec-moderate, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox37 unaffected, firefox38 wontfix, firefox38.0.5 wontfix, firefox39 verified, firefox40 verified, firefox-esr31 unaffected, firefox-esr38 wontfix, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-master fixed)

Details

(Whiteboard: [jsbugmon:update][adv-main39+])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 4d2d97b3ba34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):

gczeal(2);
var g = newGlobal();
g.eval('function f() { return "from f"; }');
var dbg = new Debugger;
var gw = dbg.makeGlobalObjectReference(g);
var fw = gw.getOwnPropertyDescriptor('f').value;
newGlobal(dbg.g, false);
dbg.addDebuggee(g);
var fenv = fw.environment;



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#0  0x00000000004056d8 in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:322
#1  0x000000000046eb4a in JSFunction::nonLazyScript (this=<optimized out>) at js/src/shell/../jsfun.h:325
#2  0x00000000006b8c85 in js::GetDebugScopeForFunction (cx=cx@entry=0x1a19ee0, fun=..., fun@entry=...) at js/src/vm/ScopeObject.cpp:2478
#3  0x000000000061e815 in DebuggerObject_getEnvironment (cx=0x1a19ee0, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:6650
#4  0x0000000000642d92 in js::CallJSNative (cx=0x1a19ee0, native=0x61e600 <DebuggerObject_getEnvironment(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#5  0x0000000000631ee3 in js::Invoke (cx=cx@entry=0x1a19ee0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:502
#6  0x00000000006339a3 in js::Invoke (cx=cx@entry=0x1a19ee0, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:558
#7  0x00000000006374da in js::InvokeGetterOrSetter (cx=cx@entry=0x1a19ee0, obj=0x7ffff5463160, fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:628
#8  0x000000000069c213 in CallGetter (vp=..., shape=..., receiver=..., cx=0x1a19ee0) at js/src/vm/NativeObject.cpp:1614
#9  GetExistingProperty<(js::AllowGC)1> (cx=0x1a19ee0, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1664
#10 0x000000000069c71a in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x1a19ee0, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:1878
#11 0x000000000069cbe0 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:1912
#12 0x00000000004c26e0 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1434
#13 0x000000000062580f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x1a19ee0) at js/src/vm/Interpreter.cpp:260
#14 Interpret (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:2417
#15 0x0000000000631c48 in js::RunScript (cx=cx@entry=0x1a19ee0, state=...) at js/src/vm/Interpreter.cpp:452
#16 0x0000000000638b49 in js::ExecuteKernel (cx=cx@entry=0x1a19ee0, script=..., script@entry=..., scopeChainArg=..., thisv=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:655
#17 0x000000000063acd0 in js::Execute (cx=cx@entry=0x1a19ee0, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:695
#18 0x0000000000a17717 in ExecuteScript (cx=cx@entry=0x1a19ee0, obj=..., scriptArg=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4091
#19 0x0000000000a1784b in JS_ExecuteScript (cx=cx@entry=0x1a19ee0, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4113
#20 0x0000000000406887 in RunFile (compileOnly=false, file=0x1a8a5a0, filename=0x7fffffffdf72 "min.js", cx=0x1a19ee0) at js/src/shell/js.cpp:466
#21 Process (cx=cx@entry=0x1a19ee0, filename=0x7fffffffdf72 "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:597
#22 0x0000000000453b22 in ProcessArgs (op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:5738
#23 Shell (envp=<optimized out>, op=0x7fffffffda00, cx=0x1a19ee0) at js/src/shell/js.cpp:6004
#24 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6346
rax	0x0	0
rbx	0x1a19ee0	27369184
rcx	0x7ffff6ca53cd	140737333842893
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffc120	140737488339232
rsp	0x7fffffffc120	140737488339232
r8	0x7ffff7fe0780	140737354008448
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffbee0	140737488338656
r11	0x7ffff6c27960	140737333328224
r12	0x7fffffffc280	140737488339584
r13	0x7fffffffc150	140737488339280
r14	0x19d5380	27087744
r15	0x7fffffffc270	140737488339568
rip	0x4056d8 <JSFunction::nonLazyScript() const+28>
=> 0x4056d8 <JSFunction::nonLazyScript() const+28>:	movl   $0x142,0x0
   0x4056e3 <JSFunction::nonLazyScript() const+39>:	callq  0x4046a0 <abort@plt>


Marking s-s because gczeal is involved. Might only affect the debugger though.
Keywords: sec-moderate
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 1

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fb00dedf441c
user:        Shu-yu Guo
date:        Wed Jan 14 22:57:35 2015 -0800
summary:     Bug 963879 - Part 1: Overhaul ScopeIter and StaticScopeIter to share iteration logic and to go through evals. (r=luke)

This iteration took 192.815 seconds to run.
(Reporter)

Comment 2

4 years ago
Needinfo from shu based on comment 1.
Flags: needinfo?(shu)
(Assignee)

Comment 3

4 years ago
Created attachment 8583321 [details] [diff] [review]
Unlazify functions when getting their debug scopes.
Attachment #8583321 - Flags: review?(jimb)
(Assignee)

Updated

4 years ago
Assignee: nobody → shu
Flags: needinfo?(shu)
(Assignee)

Updated

4 years ago
Status: NEW → ASSIGNED

Comment 4

4 years ago
Comment on attachment 8583321 [details] [diff] [review]
Unlazify functions when getting their debug scopes.

Review of attachment 8583321 [details] [diff] [review]:
-----------------------------------------------------------------

Apparently we now re-lazify functions. I can't readily find any changesets in Debugger.cpp that seem like they would address this. Are there any other uses of nonLazyScript that should be changed?
Attachment #8583321 - Flags: review?(jimb) → review+
(Assignee)

Comment 5

4 years ago
(In reply to Jim Blandy :jimb from comment #4)
> Comment on attachment 8583321 [details] [diff] [review]
> Unlazify functions when getting their debug scopes.
> 
> Review of attachment 8583321 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Apparently we now re-lazify functions. I can't readily find any changesets
> in Debugger.cpp that seem like they would address this. Are there any other
> uses of nonLazyScript that should be changed?

The Debugger disables relazification so long as a compartment->isDebuggee(). Note that this test case didn't addDebuggee until after the GC, and that adding a compartment as a debuggee does not eagerly unlazifies (only findScripts does).
https://hg.mozilla.org/mozilla-central/rev/d682b4e2df86
https://hg.mozilla.org/mozilla-central/rev/2525c3ff6145
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
status-firefox40: --- → fixed
Flags: needinfo?(shu) → in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
(Reporter)

Updated

4 years ago
Status: RESOLVED → VERIFIED
status-firefox40: fixed → verified
(Reporter)

Comment 8

4 years ago
JSBugMon: This bug has been automatically verified fixed.
status-firefox37: --- → unaffected
status-firefox38: --- → affected
status-firefox-esr31: --- → unaffected
We should probably get this on Fx39 still, no? Not sure about ESR38, though (typically no for sec-moderates).
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
status-b2g-master: --- → fixed
status-firefox38: affected → wontfix
status-firefox38.0.5: --- → wontfix
status-firefox-esr38: --- → affected
Flags: needinfo?(shu)
(Assignee)

Comment 10

3 years ago
Created attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (
(Assignee)

Comment 11

3 years ago
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (

Approval Request Comment
[Feature/regressing bug #]: Unsure
[User impact if declined]: Crashes when using JS debugger.
[Describe test coverage new/current, TreeHerder]: On m-c and aurora.
[Risks and why]: Low, no user behavior change; bug fix.
[String/UUID change made/needed]: None.
Flags: needinfo?(shu)
Attachment #8611524 - Flags: approval-mozilla-beta?
Comment on attachment 8611524 [details] [diff] [review]
For uplift. Unlazify functions when getting their debug scopes. (

Has tests, been on m-c and m-a a while, fixes regression in 39.
Approved for uplift to beta
Attachment #8611524 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/releases/mozilla-beta/rev/9d21268e218c
status-firefox39: affected → fixed
Flags: in-testsuite? → in-testsuite+
(Reporter)

Updated

3 years ago
status-firefox39: fixed → verified
(Reporter)

Comment 14

3 years ago
JSBugMon: This bug has been automatically verified fixed on Fx39
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main39+]
Blocks: 963879
status-firefox-esr38: affected → wontfix

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.