Closed Bug 1243386 Opened 8 years ago Closed 8 years ago

Crash [@ js::Debugger::removeDebuggeeGlobal] with Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1242798

People

(Reporter: decoder, Assigned: jimb)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,bisect,ignore])

Crash Data

The following testcase crashes on mozilla-central revision c0ba5835ca48 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --disable-debug, run with --ion-eager):

g = newGlobal();
dbg = Debugger(g);
g.eval("" + function f(c) {
    if (c == 0) return;
    if (c == 2) debugger;
    f(c - 1);
    for (i = 0; i < 100; i++) 0;
})
dbg.onDebuggerStatement = function() {};
g.eval("f(2)");
assertDeepEq = function() {
    a = Function.prototype.call(0);
}()



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
js::Debugger::removeDebuggeeGlobal (this=0xf41c7800, fop=fop@entry=0xffffc5d0, global=global@entry=0xf436a040, debugEnum=0x0) at js/src/jsscriptinlines.h:176
#0  js::Debugger::removeDebuggeeGlobal (this=0xf41c7800, fop=fop@entry=0xffffc5d0, global=global@entry=0xf436a040, debugEnum=0x0) at js/src/jsscriptinlines.h:176
#1  0x08433ac1 in js::Debugger::detachAllDebuggersFromGlobal (fop=fop@entry=0xffffc5d0, global=0xf436a040) at js/src/vm/Debugger.cpp:2696
#2  0x083716e8 in JSCompartment::sweepGlobalObject (this=0xf41c6000, fop=0xffffc5d0) at js/src/jscompartment.cpp:683
#3  0x0839eec4 in js::gc::GCRuntime::beginSweepingZoneGroup (this=this@entry=0xf7a3c20c) at js/src/jsgc.cpp:5189
#4  0x083a7dbf in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0xf7a3c20c, destroyingRuntime=destroyingRuntime@entry=false) at js/src/jsgc.cpp:5375
#5  0x083a99e0 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0xf7a3c20c, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6136
#6  0x083aa666 in js::gc::GCRuntime::gcCycle (this=this@entry=0xf7a3c20c, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6344
#7  0x083aaab3 in js::gc::GCRuntime::collect (this=this@entry=0xf7a3c20c, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6450
#8  0x083aad9a in js::gc::GCRuntime::gc (this=this@entry=0xf7a3c20c, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6508
#9  0x0836376e in js::DestroyContext (cx=cx@entry=0xf7a86040, mode=mode@entry=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:181
#10 0x0833b967 in JS_DestroyContext (cx=cx@entry=0xf7a86040) at js/src/jsapi.cpp:580
#11 0x0807233c in DestroyContext (withGC=true, cx=0xf7a86040) at js/src/shell/js.cpp:6103
#12 main (argc=3, argv=0xffffcc54, envp=0xffffcc64) at js/src/shell/js.cpp:7008
eax	0xe5853004	-444256252
ebx	0x946e584	155641220
ecx	0xf7a5b980	-140134016
edx	0x0	0
esi	0xf45ffca2	-195035998
edi	0xffffc5d0	-14896
ebp	0xffffc3c8	4294951880
esp	0xffffc380	4294951808
eip	0x8433799 <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::ReadBarriered<js::GlobalObject*> const, js::HashSet<js::ReadBarriered<js::GlobalObject*>, js::MovableCellHasher<js::ReadBarriered<js::GlobalObject*> >, js::RuntimeAllocPolicy>::SetOps, js::RuntimeAllocPolicy>::Enum*)+121>
=> 0x8433799 <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::ReadBarriered<js::GlobalObject*> const, js::HashSet<js::ReadBarriered<js::GlobalObject*>, js::MovableCellHasher<js::ReadBarriered<js::GlobalObject*> >, js::RuntimeAllocPolicy>::SetOps, js::RuntimeAllocPolicy>::Enum*)+121>:	mov    0x2c(%eax),%edi
   0x843379c <js::Debugger::removeDebuggeeGlobal(js::FreeOp*, js::GlobalObject*, js::detail::HashTable<js::ReadBarriered<js::GlobalObject*> const, js::HashSet<js::ReadBarriered<js::GlobalObject*>, js::MovableCellHasher<js::ReadBarriered<js::GlobalObject*> >, js::RuntimeAllocPolicy>::SetOps, js::RuntimeAllocPolicy>::Enum*)+124>:	xor    %eax,%eax
I can reproduce this.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 08eddf3af531).
I found that running SM under RR caused the bug not to reproduce; so I think it's timing-sensitive.
Assignee: nobody → jimb
Here's what I know so far:

The crash occurs when we're shutting down: the Debugger instance is collected and detaches itself from all its debuggees, and in the process tries to detach all its Debugger.Frame instances from the stack frames they refer to. It stumbles over an entry in its Debugger::frames table whose key's script() is invalid.

Given the test case, there should be no entries in that table by the time we're shutting down. The only stack frame we've ever created a Debugger.Frame for has been popped. Asking for the script() of a popped frame is certainly something one would expect to crash.
That sounds a lot like bug 1242798.
The patch from bug 1242798 fixes this. Marking as dup, and hence S-S.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.