Closed Bug 1300517 Opened 3 years ago Closed 3 years ago

Crash [@ JSFunction::isDerivedClassConstructor] or Assertion failure: frame.script()->isDirectEvalInFunction(), at vm/Interpreter.cpp:5049

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox48 --- unaffected
firefox49 --- unaffected
firefox50 --- unaffected
firefox51 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d0830980ffdb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe min.js):

g = newGlobal();
g.log *= "";
Debugger(g).onDebuggerStatement = frame => frame.eval("log += this.Math.toString();");
let forceException = g.eval(`
    (class extends class {} {
        constructor() {
            debugger;
        }
    })
`);
new forceException;


Backtrace:

 received signal SIGSEGV, Segmentation fault.
JSFunction::isDerivedClassConstructor (this=0x0) at js/src/jsfun.cpp:1343
#0  JSFunction::isDerivedClassConstructor (this=0x0) at js/src/jsfun.cpp:1343
#1  0x00000000008b0c17 in js::ThrowUninitializedThis (cx=0x7ffff694d000, frame=...) at js/src/vm/Interpreter.cpp:5059
#2  0x00000000008d476a in Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:2605
#3  0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400
#4  0x00000000008da68e in js::ExecuteKernel (cx=cx@entry=0x7ffff694d000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffb830) at js/src/vm/Interpreter.cpp:681
#5  0x0000000000880305 in EvaluateInEnv (pc=0x0, rval=..., lineno=1, filename=0xd844ed "debugger eval code", chars=..., frame=..., env=..., cx=<optimized out>) at js/src/vm/Debugger.cpp:7434
#6  DebuggerGenericEval (cx=cx@entry=0x7ffff694d000, chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffffc03c: 32767, value=..., dbg=0x7ffff697a000, envArg=..., iter=0x7fffffffbb88) at js/src/vm/Debugger.cpp:7520
#7  0x0000000000880e50 in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff694d000, frame=..., frame@entry=..., chars=..., bindings=bindings@entry=..., options=..., status=@0x7fffffffc03c: 32767, value=...) at js/src/vm/Debugger.cpp:7542
#8  0x000000000088103f in js::DebuggerFrame::evalMethod (cx=0x7ffff694d000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8119
#9  0x00000000008d4e00 in js::CallJSNative (args=..., native=<optimized out>, cx=0x7ffff694d000) at js/src/jscntxtinlines.h:235
#10 js::InternalCallOrConstruct (cx=0x7ffff694d000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:454
#11 0x00000000008d0601 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:505
#12 Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:2916
#13 0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400
#14 0x00000000008d4d42 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694d000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#15 0x00000000008d4f75 in InternalCall (cx=cx@entry=0x7ffff694d000, args=...) at js/src/vm/Interpreter.cpp:499
#16 0x00000000008d4fd8 in js::Call (cx=cx@entry=0x7ffff694d000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:518
#17 0x0000000000812040 in js::Call (cx=0x7ffff694d000, fval=fval@entry=..., thisObj=<optimized out>, arg0=arg0@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.h:114
#18 0x00000000008869d5 in js::Debugger::fireDebuggerStatement (this=this@entry=0x7ffff697a000, cx=cx@entry=0x7ffff694d000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1688
#19 0x0000000000887031 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff697a000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:970
#20 js::Debugger::dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=<optimized out>, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1827
#21 js::Debugger::slowPathOnDebuggerStatement (cx=<optimized out>, frame=...) at js/src/vm/Debugger.cpp:971
#22 0x00000000008d21df in js::Debugger::onDebuggerStatement (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:58
#23 Interpret (cx=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:3746
#24 0x00000000008d4b90 in js::RunScript (cx=cx@entry=0x7ffff694d000, state=...) at js/src/vm/Interpreter.cpp:400
#25 0x00000000008d4d42 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff694d000, args=..., construct=construct@entry=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#26 0x00000000008d9eed in InternalConstruct (cx=cx@entry=0x7ffff694d000, args=...) at js/src/vm/Interpreter.cpp:547
#27 0x00000000008da00b in js::Construct (cx=cx@entry=0x7ffff694d000, fval=..., fval@entry=..., args=..., newTarget=..., objp=..., objp@entry=...) at js/src/vm/Interpreter.cpp:596
#28 0x000000000083d705 in js::Wrapper::construct (this=this@entry=0x1a5e8a0 <js::CrossCompartmentWrapper::singleton>, cx=cx@entry=0x7ffff694d000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:184
#29 0x000000000080d148 in js::CrossCompartmentWrapper::construct (this=0x1a5e8a0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff694d000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:353
#30 0x000000000080bf2d in js::Proxy::construct (args=..., proxy=..., cx=0x7ffff694d000) at js/src/proxy/Proxy.cpp:420
#31 js::proxy_Construct (cx=0x7ffff694d000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:699
#32 0x00000000008d9de0 in js::CallJSNative (args=..., native=0x80be40 <js::proxy_Construct(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff694d000) at js/src/jscntxtinlines.h:235
[...]
#45 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7657
rax	0x0	0
rbx	0x7ffff694d000	140737330335744
rcx	0x7ffff069b230	140737226846768
rdx	0x7ffff694d000	140737330335744
rsi	0x7ffff03b21a0	140737223795104
rdi	0x0	0
rbp	0x7fffffffb480	140737488336000
rsp	0x7fffffffb048	140737488334920
r8	0x3b	59
r9	0x7	7
r10	0x7ffff04b9800	140737224873984
r11	0x1b	27
r12	0x1a3b2a0	27505312
r13	0x7fffffffb440	140737488335936
r14	0x7ffff694d000	140737330335744
r15	0x7ffff69281d0	140737330184656
rip	0x779780 <JSFunction::isDerivedClassConstructor()>
=> 0x779780 <JSFunction::isDerivedClassConstructor()>:	movzwl 0x22(%rdi),%eax
   0x779784 <JSFunction::isDerivedClassConstructor()+4>:	test   $0x2,%ah
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150917233551" and the hash "7641104770a80015e63597b58cb312fefcbd9ab4".
The "bad" changeset has the timestamp "20160905032019" and the hash "6e9706730af84fb7121e1dc0cbf00bb0906e5efa".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7641104770a80015e63597b58cb312fefcbd9ab4&tochange=6e9706730af84fb7121e1dc0cbf00bb0906e5efa
Here's a better bisection window:

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160825005824" and the hash "181336fdda6625d8ffa5e5764b817cc3da1f9659".
The "bad" changeset has the timestamp "20160825011927" and the hash "bd702fa23037799ab4dd266d8a2b59d021f6cfa8".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=181336fdda6625d8ffa5e5764b817cc3da1f9659&tochange=bd702fa23037799ab4dd266d8a2b59d021f6cfa8

Shu-yu, is bug 1263355 a likely regressor?
Blocks: 1263355
Flags: needinfo?(shu)
We don't have to worry about baseline frames because even baseline doesn't
compile Debugger evals.
Attachment #8788831 - Flags: review?(jdemooij)
Comment on attachment 8788831 [details] [diff] [review]
Handle Debugger.Frame.evals when throwing uninitialized 'this'.

Review of attachment 8788831 [details] [diff] [review]:
-----------------------------------------------------------------

Do we use a different scope chain now for Debugger eval-in-frame than before the rewrite? Not sure why this is a problem now.
Attachment #8788831 - Flags: review?(jdemooij) → review+
(In reply to Jan de Mooij [:jandem] from comment #4)
> Comment on attachment 8788831 [details] [diff] [review]
> Handle Debugger.Frame.evals when throwing uninitialized 'this'.
> 
> Review of attachment 8788831 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Do we use a different scope chain now for Debugger eval-in-frame than before
> the rewrite? Not sure why this is a problem now.

We used to keep a flag on scripts for its being a direct eval in a function or a Debugger eval-in-frame. I replaced this flag with looking at the scope chain only, but that missed the Debugger case. Debugger evals have as their outermost scope something of ScopeKind::NonSyntactic and not ScopeKind::Function.
Flags: needinfo?(shu)
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/75582480f782
Handle Debugger.Frame.evals when throwing uninitialized 'this'. (r=jandem)
https://hg.mozilla.org/mozilla-central/rev/75582480f782
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.