Closed Bug 1240803 Opened 9 years ago Closed 9 years ago

Assertion failure: !Debugger::inFrameMaps(f), at js/src/jit/RematerializedFrame.cpp:109 with OOM

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla46
Tracking Status
firefox46 --- fixed

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision a77b73c7723e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-extra-checks --ion-eager --ion-offthread-compile=off): (function() { g = newGlobal() dbg = new Debugger g.toggle = function(d) { if (d) { dbg.addDebuggee(g); dbg.getNewestFrame(); oomAfterAllocations(2); setBreakpoint; } } g.eval("" + function f(d) toggle(d)) g.eval("(" + function() { f(false); f(true); } + ")()") })(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000790138 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109 #0 0x0000000000790138 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109 #1 0x0000000000b134e1 in js::jit::JitActivation::clearRematerializedFrames (this=this@entry=0x7fffffff98a0) at js/src/vm/Stack.cpp:1561 #2 0x0000000000b15487 in js::jit::JitActivation::~JitActivation (this=0x7fffffff98a0, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1485 #3 0x00000000006b8852 in EnterIon (data=..., cx=0x7ffff6907800) at js/src/jit/Ion.cpp:2718 #4 js::jit::IonCannon (cx=cx@entry=0x7ffff6907800, state=...) at js/src/jit/Ion.cpp:2816 #5 0x0000000000a4b73b in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:408 #6 0x0000000000a4b97c in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:499 #7 0x0000000000a4d339 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffa248, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533 #8 0x00000000006017de in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffa288, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffa238, res=...) at js/src/jit/BaselineIC.cpp:6186 #9 0x00007ffff7ff1a1f in ?? () [...] #31 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6922d60 140737330163040 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9680 140737488328320 rsp 0x7fffffff9660 140737488328288 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffff9420 140737488327712 r11 0x7ffff6c27960 140737333328224 r12 0x0 0 r13 0x7ffff69ae8c8 140737330735304 r14 0x7fffffff9780 140737488328576 r15 0x7ffff6907800 140737330051072 rip 0x790138 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+312> => 0x790138 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+312>: movl $0x6d,0x0 0x790143 <js::jit::RematerializedFrame::FreeInVector(mozilla::Vector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>&)+323>: callq 0x4a2e10 <abort()>
JIT + OOM + CCW + Debugger. Fuzzers are mean. Shu, can you take a look?
Flags: needinfo?(shu)
Attachment #8709801 - Flags: review?(jimb)
Flags: needinfo?(shu)
Assignee: nobody → shu
Comment on attachment 8709801 [details] [diff] [review] Handle OOM in replaceFrameGuts. Review of attachment 8709801 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Debugger.cpp @@ +5419,5 @@ > + } > + > + // Rekey missingScopes to maintain Debugger.Environment identity and > + // forward liveScopes to point to the new frame. > + // gone. Looks like the copy-paste of this comment went awry.
Attachment #8709801 - Flags: review?(jimb) → review+
(In reply to Jim Blandy :jimb from comment #3) > Comment on attachment 8709801 [details] [diff] [review] > Handle OOM in replaceFrameGuts. > > Review of attachment 8709801 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/vm/Debugger.cpp > @@ +5419,5 @@ > > + } > > + > > + // Rekey missingScopes to maintain Debugger.Environment identity and > > + // forward liveScopes to point to the new frame. > > + // gone. > > Looks like the copy-paste of this comment went awry. Oops, thanks eagle eye!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: