Closed
Bug 1199175
Opened 9 years ago
Closed 9 years ago
Assertion failure: !inFrameMaps(frame), at js/src/vm/Debugger-inl.h:25 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.56 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
var g = newGlobal();
for (var i = 0; i < 20; i++) {
var dbg = new Debugger(g);
dbg.onExceptionUnwind = function(stack, exc) {
oomAfterAllocations(5);
};
}
g.eval("throw 'fit';");
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000000006f1c96 in js::Debugger::onLeaveFrame (cx=0x7fe594d06800, frame=..., ok=false) at js/src/vm/Debugger-inl.h:25
#1 0x00000000006af47f in Interpret (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:4117
#2 0x00000000006b4eab in js::RunScript (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:704
#3 0x00000000006bf6c9 in js::ExecuteKernel (cx=cx@entry=0x7fe594d06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_INDIRECT_EVAL, evalInFrame=evalInFrame@entry=..., result=0x7fff545531d8) at js/src/vm/Interpreter.cpp:978
#4 0x00000000005bb81d in EvalKernel (cx=cx@entry=0x7fe594d06800, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=pc@entry=0x0) at js/src/builtin/Eval.cpp:353
#5 0x00000000005bc035 in js::IndirectEval (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:457
#6 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0x5bbf90 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#7 0x00000000006b5682 in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#8 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fe592ef22d0, rval=...) at js/src/vm/Interpreter.cpp:818
#9 0x0000000000bf16e4 in js::DirectProxyHandler::call (this=this@entry=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fe594d06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#10 0x0000000000bf84e2 in js::CrossCompartmentWrapper::call (this=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fe594d06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#11 0x0000000000c0662a in js::Proxy::call (cx=cx@entry=0x7fe594d06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#12 0x0000000000c0670e in js::proxy_Call (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:718
#13 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0xc06670 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#14 0x00000000006b591b in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:751
#15 0x00000000006a7fca in Interpret (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:3054
#16 0x00000000006b4eab in js::RunScript (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:704
#17 0x00000000006bf6c9 in js::ExecuteKernel (cx=cx@entry=0x7fe594d06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fff545541e8) at js/src/vm/Interpreter.cpp:978
#18 0x00000000006c18e3 in js::Execute (cx=cx@entry=0x7fe594d06800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fff545541e8) at js/src/vm/Interpreter.cpp:1012
#19 0x0000000000ae8d7b in ExecuteScript (cx=cx@entry=0x7fe594d06800, scope=..., script=..., rval=0x7fff545541e8) at js/src/jsapi.cpp:4353
#20 0x0000000000ae8e6f in JS_ExecuteScript (cx=cx@entry=0x7fe594d06800, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4378
#21 0x0000000000481781 in runOffThreadScript (cx=0x7fe594d06800, argc=<optimized out>, vp=0x7fff545541e8) at js/src/shell/js.cpp:3398
#22 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0x481670 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#23 0x00000000006b5682 in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763
#24 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fff545546f8, rval=...) at js/src/vm/Interpreter.cpp:818
#25 0x0000000000bf16e4 in js::DirectProxyHandler::call (this=this@entry=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fe594d06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77
#26 0x0000000000bf84e2 in js::CrossCompartmentWrapper::call (this=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fe594d06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289
#27 0x0000000000c0662a in js::Proxy::call (cx=cx@entry=0x7fe594d06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412
#28 0x0000000000c0670e in js::proxy_Call (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:718
#29 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0xc06670 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#30 0x00000000006b591b in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:751
#31 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=argv@entry=0x7fff545549b8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818
#32 0x0000000000aaf123 in js::jit::InvokeFunction (cx=0x7fe594d06800, obj=..., constructing=<optimized out>, argc=<optimized out>, argv=0x7fff545549b0, rval=...) at js/src/jit/VMFunctions.cpp:96
#33 0x00007fe596253b1f in ?? ()
#34 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7fff54552290 140734608253584
rcx 0x7fe5950a388d 140624024713357
rdx 0x0 0
rsi 0x7fe5953789d0 140624027683280
rdi 0x7fe5953771c0 140624027677120
rbp 0x7fff54552300 140734608253696
rsp 0x7fff54552290 140734608253584
r8 0x7fe5963e8780 140624044918656
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fe595374be0 140624027667424
r11 0x0 0
r12 0x0 0
r13 0x0 0
r14 0x7fe594d06800 140624020924416
r15 0x7fff54552730 140734608254768
rip 0x6f1c96 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+550>
=> 0x6f1c96 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+550>: movl $0x19,0x0
0x6f1ca1 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+561>: callq 0x49b160 <abort()>
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 0.323 seconds to run.
Nope this bisection isn't accurate, however, support for ancient build-time threadsafe/non-threadsafe builds was taken out some time ago, and it's more trouble bisecting back further, so Jan, do you think you can diagnose this quickly?
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 3•9 years ago
|
||
Problem is that Debugger::slowPathOnLeaveFrame returns false when adding frames to the Vector and in that case we didn't call removeFromFrameMapsAndClearBreakpointsIn. This patch uses MakeScopeExit for removeFromFrameMapsAndClearBreakpointsIn, so that we'll remove the frame even if we return false.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8663090 -
Flags: review?(shu)
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8663090 [details] [diff] [review] Patch Review of attachment 8663090 [details] [diff] [review]: ----------------------------------------------------------------- Good catch and thanks for the patch!
Attachment #8663090 -
Flags: review?(shu) → review+
|
||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0ad4ca92e9a9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•