Closed Bug 1298656 Opened 8 years ago Closed 8 years ago

Assertion failure: stepperCount == trappingScript->stepModeCount(), at js/src/vm/Debugger.cpp:1995

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Assigned: shu)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(3 files, 2 obsolete files)

Detailed Crash Information
38.28 KB, text/plain
Details
OOM_VERBOSE=1 stack from m-c rev a551f534773c
1.84 KB, text/plain
Details
Fix OOM handling in Debugger::replaceFrameGuts.
5.45 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision a551f534773c (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --thread-count=2 --ion-eager):

// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1133196.js
var g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    var dbg = new Debugger(parent);
    dbg.onExceptionUnwind = function(frame) {
        frame.older.onStep = function() {}
    };
} + ")()");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug1234414.js
oomTest(function() {
    function f(b) {
        if (b) {
            f(b - 1);
        } else eval('\
        var z = w; \
        z = 1 + w; \
        c = 5\
        ');
    }
    f(99);
});


Backtrace:

0   js-dbg-64-dm-clang-darwin-a551f534773c	0x00000001100eb149 js::Debugger::onSingleStep(JSContext*, JS::MutableHandle<JS::Value>) + 3289 (Debugger.cpp:1995)
1   js-dbg-64-dm-clang-darwin-a551f534773c	0x000000010fe7be81 js::jit::HandleDebugTrap(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool*) + 353 (VMFunctions.cpp:931)
2   ???                           	0x0000000111ce5861 0 + 4593703009
3   ???                           	000000000000000000 0 + 0
4   ???                           	0x00000001120ddc91 0 + 4597865617
5   js-dbg-64-dm-clang-darwin-a551f534773c	0x000000010fc2bfeb js::jit::IonCannon(JSContext*, js::RunState&) + 715 (Ion.cpp:2837)
6   js-dbg-64-dm-clang-darwin-a551f534773c	0x00000001101b140f js::RunScript(JSContext*, js::RunState&) + 383 (Interpreter.cpp:380)
/snip

For detailed crash information, see attachment.
This seems to get intermittent as bisection goes back in time, due to it not reproducing with --ion-offthread-compile=off nor --no-threads, so unable to get a result.

Setting needinfo? from our Debugger gurus.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jimb)
> so unable to get a result.

Actually I may have gotten one:

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo)

changeset:   https://hg.mozilla.org/mozilla-central/rev/18bec78f348e
user:        Shu-yu Guo
date:        Thu Aug 25 01:28:47 2016 -0700
summary:     Bug 1263355 - Report memory metrics for Scopes. (r=njn)

Though I'm unsure if it's the right one. Setting needinfo? from Shu-yu as well.
Blocks: 1263355
Flags: needinfo?(shu)
I get 

Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at /home/shu/moz/central/js/src/builtin/TestingFunctions.cpp:1409

instead of the stepperCount assertion.
Flags: needinfo?(shu)
Oh, it's because I forgot to do --fuzzing-safe.
Shu says he's going to look at this, and needinfo me if he wants to hand it off.
Flags: needinfo?(jimb)
I don't know how to commit a test for this. The fuzz test is extremely
slow if it doesn't crash, and these OOM tests are so brittle that
literally any allocation changes in the engine cause them to no longer
test what they were testing.
Attachment #8786142 - Flags: review?(jimb)
Assignee: nobody → shu
Comment on attachment 8786142 [details] [diff] [review]
Fix OOM handling in Debugger::replaceFrameGuts.

Patch is still wrong.
Attachment #8786142 - Flags: review?(jimb)
Turned out patch was right, but subtle. Add clarifying comment.
Attachment #8786156 - Flags: review?(jimb)
Attachment #8786142 - Attachment is obsolete: true
More clarifying comments on all the OOM points in replaceFrameGuts.
Attachment #8786160 - Flags: review?(jimb)
Attachment #8786156 - Attachment is obsolete: true
Attachment #8786156 - Flags: review?(jimb)
Attachment #8786160 - Flags: review?(jimb) → review+
I might file a follow-up to work on those comments a bit, but the fixes make sense to me.
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8b8fdf720a19
Fix OOM handling in Debugger::replaceFrameGuts. (r=jimb)
https://hg.mozilla.org/mozilla-central/rev/8b8fdf720a19
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox51: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Flags: needinfo?(nfitzgerald)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: