Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:296 with Debugger and OOM

RESOLVED FIXED in Firefox 56

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
11 months ago
10 months ago

People

(Reporter: decoder, Assigned: jonco)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla56
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox54 wontfix, firefox55 wontfix, firefox56 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
The following testcase crashes on mozilla-central revision 5801aa478de1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
var global = newGlobal();
global.eval('function f() { debugger; }');
var debug = new Debugger(global);
function evalAndNoteScripts(prog) {
    debug.onDebuggerStatement = function(frame) {
            oomAfterAllocations(50);
            scripts.argument = frame.arguments[0].script;
    };
    global.eval(prog);
}
var scripts = evalAndNoteScripts('f(f)');
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    oomTest(new Function(lfVarx));
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x000000000054040e in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xb059d0 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:296
#0  0x000000000054040e in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xb059d0 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:296
#1  0x00000000005351d3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#2  0x00000000005355e8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515
#3  0x000000000053571d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534
#4  0x00000000005358bc in js::CallGetter (cx=cx@entry=0x7ffff6924000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:649
#5  0x0000000000b8c449 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.cpp:2019
#6  GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff6924000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2067
#7  0x0000000000b8d17f in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff6924000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2298
#8  0x0000000000b8d960 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2332
#9  0x00000000005388d4 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1543
#10 0x00000000005237e9 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:853
#11 js::GetProperty (cx=cx@entry=0x7ffff6924000, v=..., v@entry=..., name=..., name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4402
#12 0x0000000000809af1 in js::jit::ComputeGetPropResult (res=..., val=..., name=..., op=JSOP_GETPROP, frame=0x7fffffff9278, cx=0x7ffff6924000) at js/src/jit/SharedIC.cpp:2018
#13 js::jit::DoGetPropFallback (cx=0x7ffff6924000, frame=0x7fffffff9278, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2075
[...]
#42 0x00000000005e8302 in EnterBaseline (cx=0xffff9390, data=...) at js/src/jit/BaselineJIT.cpp:162
Backtrace stopped: frame did not save the PC
rax	0x0	0
rbx	0x7fffffff8c00	140737488325632
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffff8a90	140737488325264
rsp	0x7fffffff8a40	140737488325184
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x0	0
r11	0x0	0
r12	0x7ffff6924000	140737330167808
r13	0x7fffffff8a50	140737488325200
r14	0xb059d0	11557328
r15	0x7fffffff8c00	140737488325632
rip	0x54040e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+414>
=> 0x54040e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+414>:	movl   $0x0,0x0
   0x540419 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+425>:	ud2

Updated

10 months ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

10 months ago
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3".
The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a
Jon, is bug 1239369 a likely regressor?
Blocks: 1239369
Flags: needinfo?(jcoppeard)
(Assignee)

Comment 3

10 months ago
Created attachment 8881948 [details] [diff] [review]
bug1370905-debugger-args

Patch to check for failure in DebuggerFrame::getArguments.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8881948 - Flags: review?(jimb)
(Assignee)

Updated

10 months ago
No longer blocks: 1239369

Updated

10 months ago
Attachment #8881948 - Flags: review?(jimb) → review+

Comment 4

10 months ago
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6685b967780d
Check for failure creating DebuggerArguments r=jimb

Comment 5

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/6685b967780d
Status: NEW → RESOLVED
Last Resolved: 10 months ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Is this worth backporting to Beta for 55 or should we let it ride the 56 train?
status-firefox54: --- → wontfix
status-firefox-esr52: --- → wontfix
Flags: needinfo?(jcoppeard)
Flags: in-testsuite+
(Assignee)

Comment 7

10 months ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)
I'd say let it ride the trains.
Flags: needinfo?(jcoppeard)
status-firefox55: affected → wontfix

Updated

10 months ago
Duplicate of this bug: 1344673
You need to log in before you can comment on or make changes to this bug.