Closed Bug 1199175 Opened 9 years ago Closed 9 years ago

Assertion failure: !inFrameMaps(frame), at js/src/vm/Debugger-inl.h:25 with OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox43 --- fixed

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Patch
2.56 KB, patch
shu
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision f61c3cc0eb8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): var g = newGlobal(); for (var i = 0; i < 20; i++) { var dbg = new Debugger(g); dbg.onExceptionUnwind = function(stack, exc) { oomAfterAllocations(5); }; } g.eval("throw 'fit';"); Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000000006f1c96 in js::Debugger::onLeaveFrame (cx=0x7fe594d06800, frame=..., ok=false) at js/src/vm/Debugger-inl.h:25 #1 0x00000000006af47f in Interpret (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:4117 #2 0x00000000006b4eab in js::RunScript (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:704 #3 0x00000000006bf6c9 in js::ExecuteKernel (cx=cx@entry=0x7fe594d06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_INDIRECT_EVAL, evalInFrame=evalInFrame@entry=..., result=0x7fff545531d8) at js/src/vm/Interpreter.cpp:978 #4 0x00000000005bb81d in EvalKernel (cx=cx@entry=0x7fe594d06800, args=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=pc@entry=0x0) at js/src/builtin/Eval.cpp:353 #5 0x00000000005bc035 in js::IndirectEval (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:457 #6 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0x5bbf90 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #7 0x00000000006b5682 in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763 #8 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fe592ef22d0, rval=...) at js/src/vm/Interpreter.cpp:818 #9 0x0000000000bf16e4 in js::DirectProxyHandler::call (this=this@entry=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fe594d06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #10 0x0000000000bf84e2 in js::CrossCompartmentWrapper::call (this=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fe594d06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #11 0x0000000000c0662a in js::Proxy::call (cx=cx@entry=0x7fe594d06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412 #12 0x0000000000c0670e in js::proxy_Call (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:718 #13 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0xc06670 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #14 0x00000000006b591b in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:751 #15 0x00000000006a7fca in Interpret (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:3054 #16 0x00000000006b4eab in js::RunScript (cx=cx@entry=0x7fe594d06800, state=...) at js/src/vm/Interpreter.cpp:704 #17 0x00000000006bf6c9 in js::ExecuteKernel (cx=cx@entry=0x7fe594d06800, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=type@entry=js::EXECUTE_GLOBAL, evalInFrame=evalInFrame@entry=..., result=result@entry=0x7fff545541e8) at js/src/vm/Interpreter.cpp:978 #18 0x00000000006c18e3 in js::Execute (cx=cx@entry=0x7fe594d06800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x7fff545541e8) at js/src/vm/Interpreter.cpp:1012 #19 0x0000000000ae8d7b in ExecuteScript (cx=cx@entry=0x7fe594d06800, scope=..., script=..., rval=0x7fff545541e8) at js/src/jsapi.cpp:4353 #20 0x0000000000ae8e6f in JS_ExecuteScript (cx=cx@entry=0x7fe594d06800, scriptArg=..., scriptArg@entry=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4378 #21 0x0000000000481781 in runOffThreadScript (cx=0x7fe594d06800, argc=<optimized out>, vp=0x7fff545541e8) at js/src/shell/js.cpp:3398 #22 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0x481670 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #23 0x00000000006b5682 in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:763 #24 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=0x7fff545546f8, rval=...) at js/src/vm/Interpreter.cpp:818 #25 0x0000000000bf16e4 in js::DirectProxyHandler::call (this=this@entry=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7fe594d06800, proxy=..., proxy@entry=..., args=...) at js/src/proxy/DirectProxyHandler.cpp:77 #26 0x0000000000bf84e2 in js::CrossCompartmentWrapper::call (this=0x1b5a8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7fe594d06800, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:289 #27 0x0000000000c0662a in js::Proxy::call (cx=cx@entry=0x7fe594d06800, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:412 #28 0x0000000000c0670e in js::proxy_Call (cx=0x7fe594d06800, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:718 #29 0x00000000006c5382 in js::CallJSNative (cx=0x7fe594d06800, native=0xc06670 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #30 0x00000000006b591b in js::Invoke (cx=cx@entry=0x7fe594d06800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:751 #31 0x00000000006b76b6 in js::Invoke (cx=cx@entry=0x7fe594d06800, thisv=..., fval=..., argc=<optimized out>, argv=argv@entry=0x7fff545549b8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:818 #32 0x0000000000aaf123 in js::jit::InvokeFunction (cx=0x7fe594d06800, obj=..., constructing=<optimized out>, argc=<optimized out>, argv=0x7fff545549b0, rval=...) at js/src/jit/VMFunctions.cpp:96 #33 0x00007fe596253b1f in ?? () #34 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fff54552290 140734608253584 rcx 0x7fe5950a388d 140624024713357 rdx 0x0 0 rsi 0x7fe5953789d0 140624027683280 rdi 0x7fe5953771c0 140624027677120 rbp 0x7fff54552300 140734608253696 rsp 0x7fff54552290 140734608253584 r8 0x7fe5963e8780 140624044918656 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fe595374be0 140624027667424 r11 0x0 0 r12 0x0 0 r13 0x0 0 r14 0x7fe594d06800 140624020924416 r15 0x7fff54552730 140734608254768 rip 0x6f1c96 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+550> => 0x6f1c96 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+550>: movl $0x19,0x0 0x6f1ca1 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+561>: callq 0x49b160 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 0.323 seconds to run.
Nope this bisection isn't accurate, however, support for ancient build-time threadsafe/non-threadsafe builds was taken out some time ago, and it's more trouble bisecting back further, so Jan, do you think you can diagnose this quickly?
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Problem is that Debugger::slowPathOnLeaveFrame returns false when adding frames to the Vector and in that case we didn't call removeFromFrameMapsAndClearBreakpointsIn. This patch uses MakeScopeExit for removeFromFrameMapsAndClearBreakpointsIn, so that we'll remove the frame even if we return false.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8663090 - Flags: review?(shu)
Comment on attachment 8663090 [details] [diff] [review] Patch Review of attachment 8663090 [details] [diff] [review]: ----------------------------------------------------------------- Good catch and thanks for the patch!
Attachment #8663090 - Flags: review?(shu) → review+
https://hg.mozilla.org/mozilla-central/rev/0ad4ca92e9a9
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: