Closed Bug 1254578 Opened 4 years ago Closed 4 years ago

Assertion failure: isRematerializedFrame(), at js/src/vm/Stack.h:184 with Debugger and OOM


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox47 --- wontfix
firefox48 --- fixed


(Reporter: decoder, Unassigned)


(Blocks 2 open bugs)


(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])


(1 file)

The following testcase crashes on mozilla-central revision 20d8879ac256 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --ion-eager min.js):

var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function() {
    dbg = new Debugger(debuggeeGlobal);
    dbg.onExceptionUnwind = function(frame, exc) {
        var s = '!';
        for (var f = frame; f; f = f.older)
            debuggeeGlobal.log += s;
} + ")();");
var dbg = new Debugger;
dbg.onNewGlobalObject = function(global) {
    get.seen = true;
oomTest(function() {


Program received signal SIGSEGV, Segmentation fault.
0x0807a3ec in js::AbstractFramePtr::asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack.h:184
#0  0x0807a3ec in js::AbstractFramePtr::asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack.h:184
#1  0x0824cecb in asRematerializedFrame (this=0xffffc22c) at js/src/vm/Stack-inl.h:661
#2  js::AbstractFramePtr::script (this=0xffffc22c) at js/src/vm/Stack-inl.h:664
#3  0x08665164 in js::Debugger::FrameRange::FrameRange (this=this@entry=0xffffc254, frame=..., global=0x0) at js/src/vm/Debugger.cpp:192
#4  0x08665ee1 in js::Debugger::inFrameMaps (frame=...) at js/src/vm/Debugger.cpp:5708
#5  0x0841a148 in js::jit::RematerializedFrame::FreeInVector (frames=...) at js/src/jit/RematerializedFrame.cpp:109
#6  0x087b815b in js::jit::JitActivation::clearRematerializedFrames (this=this@entry=0xffffc490) at js/src/vm/Stack.cpp:1533
#7  0x087bb6d2 in js::jit::JitActivation::~JitActivation (this=0xffffc490, __in_chrg=<optimized out>) at js/src/vm/Stack.cpp:1457
#8  0x08302f8f in EnterIon (data=..., cx=0xf7a73020) at js/src/jit/Ion.cpp:2786
#9  js::jit::IonCannon (cx=cx@entry=0xf7a73020, state=...) at js/src/jit/Ion.cpp:2887
#10 0x08745ccf in js::RunScript (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:408
#11 0x08745ede in js::Invoke (cx=0xf7a73020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496
#12 0x087468ae in js::Invoke (cx=cx@entry=0xf7a73020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:530
#13 0x08536f28 in JS_CallFunction (cx=cx@entry=0xf7a73020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2858
#14 0x086ccfda in OOMTest (cx=0xf7a73020, argc=1, vp=0xffffca80) at js/src/builtin/TestingFunctions.cpp:1294
#15 0x0874c60a in js::CallJSNative (cx=0xf7a73020, native=0x86cccd0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#33 main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:7252
eax	0x0	0
ebx	0x9890550	159974736
ecx	0xf7e4488c	-136034164
edx	0x0	0
esi	0xffffc254	-15788
edi	0xffffc22c	-15828
ebp	0xffffc1f8	4294951416
esp	0xffffc1e0	4294951392
eip	0x807a3ec <js::AbstractFramePtr::asRematerializedFrame() const+42>
=> 0x807a3ec <js::AbstractFramePtr::asRematerializedFrame() const+42>:	movl   $0xb8,0x0
   0x807a3f6 <js::AbstractFramePtr::asRematerializedFrame() const+52>:	call   0x8102c30 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Boris Zbarsky
date:        Wed Dec 02 13:52:59 2015 -0500
summary:     Bug 1229664.  Drop the concept of inner exceptions from Exception/DOMException.  r=bholley

This iteration took 401.348 seconds to run.
Boris, is bug 1229664 a likely regressor? (The testcase seems to involve exception stuff e.g. onExceptionUnwind)
Blocks: 1229664
Flags: needinfo?(bzbarsky)
Are you running the browser, or the JS shell?  Comment 0 doesn't say clearly.

If it's the shell, then that bug is not a likely regressor, because the only files it changed are outside spidermonkey.  As in, the objects it touched don't exist in the shell at all.
Flags: needinfo?(bzbarsky)
Yeah this looks more like a debugger thing.
Flags: needinfo?(shu)
Flags: needinfo?(shu)
Comment on attachment 8732412 [details] [diff] [review]
Fix OOM case when rematerializing frames.

Review of attachment 8732412 [details] [diff] [review]:

Looks good.
Attachment #8732412 - Flags: review?(jdemooij) → review+
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
OOM in the Debugger. Very hard to hit, in practice. WONTFIX 47.
You need to log in before you can comment on or make changes to this bug.