Closed Bug 1240546 Opened 4 years ago Closed 4 years ago

Assertion failure: frame.isDebuggee(), at js/src/vm/Debugger-inl.h:18 with OOM

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 099f695d3132 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --ion-eager min.js):

var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function() {
    oomAfterAllocations(100);
    var dbg = Debugger(debuggeeGlobal);
    dbg.onEnterFrame = function(frame) {}
} + ")()");


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x08341336 in js::Debugger::onLeaveFrame (cx=0xf7a7e020, frame=..., ok=false) at js/src/vm/Debugger-inl.h:18
#0  0x08341336 in js::Debugger::onLeaveFrame (cx=0xf7a7e020, frame=..., ok=false) at js/src/vm/Debugger-inl.h:18
#1  0x0833e000 in HandleExceptionBaseline (pc=<optimized out>, rfe=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:753
#2  js::jit::HandleException (rfe=0xffffcdb8) at js/src/jit/JitFrames.cpp:899
#3  0xf7c88335 in ?? ()
#4  0xf7a1f010 in ?? ()
#5  0xf7c88c5c in ?? ()
#6  0x08248b85 in EnterBaseline (cx=0xf7a1f010, cx@entry=0xf7a7e020, data=...) at js/src/jit/BaselineJIT.cpp:128
[...]
#17 main (argc=3, argv=0xffffd924, envp=0xffffd934) at js/src/shell/js.cpp:6869
eax	0x0	0
ebx	0x9812d8c	159460748
ecx	0xf7e4388c	-136038260
edx	0x0	0
esi	0x0	0
edi	0x3	3
ebp	0xffffca08	4294953480
esp	0xffffc9e0	4294953440
eip	0x8341336 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+246>
=> 0x8341336 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+246>:	movl   $0x12,0x0
   0x8341340 <js::Debugger::onLeaveFrame(JSContext*, js::AbstractFramePtr, bool)+256>:	call   0x810a540 <abort()>
I can reproduce this.
This crash is caused by the injected OOM that occurs here:

#0  js_failedAllocBreakpoint () at /home/jimb/moz/dbg/js/src/debug~/dist/include/js/Utility.h:116
#1  0x000000000042bd67 in js::oom::ShouldFailWithOOM () at /home/jimb/moz/dbg/js/src/debug~/dist/include/js/Utility.h:148
#2  0x000000000044bfdf in js::SystemAllocPolicy::checkSimulatedOOM (this=0x7ffd64c59380) at /home/jimb/moz/dbg/js/src/jsalloc.h:47
#3  0x00000000005a1dd8 in mozilla::Vector<unsigned char, 256ul, js::SystemAllocPolicy>::reserve (this=0x7ffd64c59380, aRequest=398) at /home/jimb/moz/dbg/js/src/debug~/dist/include/mozilla/Vector.h:933
#4  0x00000000005882b3 in js::jit::AssemblerBuffer::ensureSpace (this=0x7ffd64c59380, space=16) at /home/jimb/moz/dbg/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:79
#5  0x00000000005894fe in js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::oneByteOp64 (this=0x7ffd64c59380, opcode=js::jit::X86Encoding::OP_GROUP1_EvIz, rm=js::jit::X86Encoding::rsp, reg=5) at /home/jimb/moz/dbg/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4342
#6  0x0000000000589ec0 in js::jit::X86Encoding::BaseAssemblerX64::subq_ir (this=0x7ffd64c59378, imm=240, dst=js::jit::X86Encoding::rsp) at /home/jimb/moz/dbg/js/src/jit/x64/BaseAssembler-x64.h:198
#7  0x000000000058b134 in js::jit::Assembler::subq (this=0x7ffd64c590a8, imm=..., dest=...) at /home/jimb/moz/dbg/js/src/jit/x64/Assembler-x64.h:524
#8  0x000000000092cea8 in js::jit::MacroAssembler::reserveStack (this=0x7ffd64c590a8, amount=240) at /home/jimb/moz/dbg/js/src/jit/x64/MacroAssembler-x64.cpp:341
#9  0x00000000009c6712 in js::jit::MacroAssembler::PushRegsInMask (this=0x7ffd64c590a8, set=...) at /home/jimb/moz/dbg/js/src/jit/x86-shared/MacroAssembler-x86-shared.cpp:337
#10 0x00000000008545bc in js::jit::MacroAssembler::tracelogStartId (this=0x7ffd64c590a8, logger=..., textId=2, force=true) at /home/jimb/moz/dbg/js/src/jit/MacroAssembler.cpp:1546
#11 0x0000000000eb626d in js::jit::BaselineCompiler::emitTraceLoggerEnter (this=0x7ffd64c59090) at /home/jimb/moz/dbg/js/src/jit/BaselineCompiler.cpp:849
#12 0x0000000000eb49ea in js::jit::BaselineCompiler::emitPrologue (this=0x7ffd64c59090) at /home/jimb/moz/dbg/js/src/jit/BaselineCompiler.cpp:413
#13 0x0000000000eb3520 in js::jit::BaselineCompiler::compile (this=0x7ffd64c59090) at /home/jimb/moz/dbg/js/src/jit/BaselineCompiler.cpp:112
#14 0x000000000065389a in js::jit::BaselineCompile (cx=0x7f7590c1b800, script=0x7f758806e160, forceDebugInstrumentation=true) at /home/jimb/moz/dbg/js/src/jit/BaselineJIT.cpp:276
#15 0x0000000000ec4cba in RecompileBaselineScriptForDebugMode (cx=0x7f7590c1b800, script=0x7f758806e160, observing=js::Debugger::Observing) at /home/jimb/moz/dbg/js/src/jit/BaselineDebugModeOSR.cpp:669
#16 0x0000000000ec59f8 in js::jit::RecompileOnStackBaselineScriptsForDebugMode (cx=0x7f7590c1b800, obs=..., observing=js::Debugger::Observing) at /home/jimb/moz/dbg/js/src/jit/BaselineDebugModeOSR.cpp:880
#17 0x0000000000b7c359 in js::Debugger::updateExecutionObservabilityOfFrames (cx=0x7f7590c1b800, obs=..., observing=js::Debugger::Observing) at /home/jimb/moz/dbg/js/src/vm/Debugger.cpp:2043
#18 0x0000000000b7cd47 in js::Debugger::updateExecutionObservability (cx=0x7f7590c1b800, obs=..., observing=js::Debugger::Observing) at /home/jimb/moz/dbg/js/src/vm/Debugger.cpp:2199
#19 0x0000000000b7d31e in js::Debugger::updateObservesAllExecutionOnDebuggees (this=0x7f7590c5a000, cx=0x7f7590c1b800, observing=js::Debugger::Observing) at /home/jimb/moz/dbg/js/src/vm/Debugger.cpp:2301
#20 0x0000000000b7ef91 in js::Debugger::setHookImpl (cx=0x7f7590c1b800, args=..., dbg=..., which=js::Debugger::OnEnterFrame) at /home/jimb/moz/dbg/js/src/vm/Debugger.cpp:2863
#21 0x0000000000b7f507 in js::Debugger::setOnEnterFrame (cx=0x7f7590c1b800, argc=1, vp=0x7ffd64c5aaa8) at /home/jimb/moz/dbg/js/src/vm/Debugger.cpp:2951
#22 0x0000000000c0c624 in js::CallJSNative (cx=0x7f7590c1b800, native=0xb7f49a <js::Debugger::setOnEnterFrame(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/jimb/moz/dbg/js/src/jscntxtinlines.h:235
#23 0x0000000000bea2a5 in js::Invoke (cx=0x7f7590c1b800, args=..., construct=js::NO_CONSTRUCT) at /home/jimb/moz/dbg/js/src/vm/Interpreter.cpp:481
#24 0x0000000000bea630 in js::Invoke (cx=0x7f7590c1b800, thisv=..., fval=..., argc=1, argv=0x7ffd64c5adc0, rval=...) at /home/jimb/moz/dbg/js/src/vm/Interpreter.cpp:533
#25 0x0000000000beae26 in js::InvokeSetter (cx=0x7f7590c1b800, thisv=..., fval=..., v=...) at /home/jimb/moz/dbg/js/src/vm/Interpreter.cpp:651
#26 0x0000000000c57a3f in SetExistingProperty (cx=0x7f7590c1b800, obj=..., id=..., v=..., receiver=..., pobj=..., shape=..., result=...) at /home/jimb/moz/dbg/js/src/vm/NativeObject.cpp:2289
#27 0x0000000000c57d18 in js::NativeSetProperty (cx=0x7f7590c1b800, obj=..., id=..., value=..., receiver=..., qualified=js::Qualified, result=...) at /home/jimb/moz/dbg/js/src/vm/NativeObject.cpp:2323
#28 0x0000000000517efc in js::SetProperty (cx=0x7f7590c1b800, obj=..., id=..., v=..., receiver=..., result=...) at /home/jimb/moz/dbg/js/src/vm/NativeObject.h:1488
#29 0x000000000065f6e6 in js::PutProperty (cx=0x7f7590c1b800, obj=..., id=..., v=..., strict=false) at /home/jimb/moz/dbg/js/src/jsobj.h:934
#30 0x000000000063f36c in js::jit::DoSetPropFallback (cx=0x7f7590c1b800, frame=0x7ffd64c5b428, stub_=0x7f758794df20, lhs=..., rhs=..., res=...) at /home/jimb/moz/dbg/js/src/jit/BaselineIC.cpp:4781
Shu, it seems like updateObservesAllExecutionOnDebuggees isn't handling OOM correctly. Would you be able to look at this?
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Assignee: nobody → shu
Attachment #8709788 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/4e9d8d7b6668
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.