Assertion failure: frame->isDebuggee(), at js/src/jit/VMFunctions.cpp:1064

RESOLVED FIXED in Firefox 55

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla55
x86_64
Linux
assertion, jsbugmon, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

9 months ago
The following testcase crashes on mozilla-central revision ebad93e11770 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager):

g = newGlobal();
Debugger(g).onDebuggerStatement = function(frame) {
  frame.script.setBreakpoint(71, {});
}
g.eval(`
  function* g(x) {
    yield* x
  }
  function* range(n) {
    debugger;
    for (var i = 0; n;) yield i;
  }
`)
g.eval("var iter = g(range(2))");
g.eval("var first = iter.next().value");
g.eval("var second = iter.next().value");



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000830a30 in js::jit::HandleDebugTrap (cx=0x7ffff6924000, frame=0x7fffffffac90, retAddr=<optimized out>, mustReturn=0x7fffffffac34) at js/src/jit/VMFunctions.cpp:1064
#0  0x0000000000830a30 in js::jit::HandleDebugTrap (cx=0x7ffff6924000, frame=0x7fffffffac90, retAddr=<optimized out>, mustReturn=0x7fffffffac34) at js/src/jit/VMFunctions.cpp:1064
#1  0x00000384c7134d07 in ?? ()
[...]
#12 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x0	0
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffac10	140737488333840
rsp	0x7fffffffab90	140737488333712
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffac90	140737488333968
r13	0x7fffffffaba0	140737488333728
r14	0x7ffff6924000	140737330167808
r15	0x7ffff46bc1f0	140737294090736
rip	0x830a30 <js::jit::HandleDebugTrap(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool*)+992>
=> 0x830a30 <js::jit::HandleDebugTrap(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool*)+992>:	movl   $0x0,0x0
   0x830a3b <js::jit::HandleDebugTrap(JSContext*, js::jit::BaselineFrame*, unsigned char*, bool*)+1003>:	ud2

Updated

9 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

9 months ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151120232833" and the hash "c3aa84cd334c17606ff33284a058064eafd67d28".
The "bad" changeset has the timestamp "20151121053534" and the hash "52d7c9292ecfc23a52835c49189dabd561b18675".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c3aa84cd334c17606ff33284a058064eafd67d28&tochange=52d7c9292ecfc23a52835c49189dabd561b18675
Jan, is bug 1132183 a likely regressor?
Flags: needinfo?(jdemooij)

Updated

9 months ago
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
(Assignee)

Comment 3

9 months ago
Created attachment 8873419 [details] [diff] [review]
Patch

Funny testcase. It sets a breakpoint at the JSOP_DEBUGAFTERYIELD op, so we call HandleDebugTrap before we set the frame's debuggee flag.

The test is a bit fragile with the bytecode offset hardcoded, can you think of a better way to do this?
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8873419 - Flags: review?(shu)

Comment 4

9 months ago
Comment on attachment 8873419 [details] [diff] [review]
Patch

Review of attachment 8873419 [details] [diff] [review]:
-----------------------------------------------------------------

I'm not sure if it's even possible to set a breakpoint on DEBUGAFTERYIELD using the debugger frontend -- that bytecode shouldn't be an entrypoint to any line.

I wouldn't worry too much about testing this robustly. Thanks for the patch!
Attachment #8873419 - Flags: review?(shu) → review+

Comment 5

9 months ago
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ee3c032059e5
Mark BaselineFrame as debuggee frame in HandleDebugTrap if the breakpoint is on JSOP_DEBUGAFTERYIELD. r=shu

Comment 6

9 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ee3c032059e5
Status: ASSIGNED → RESOLVED
Last Resolved: 9 months ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
status-firefox-esr52: --- → unaffected
You need to log in before you can comment on or make changes to this bug.