Closed
Bug 1385843
Opened 3 years ago
Closed 3 years ago
Crash [@ JSFunction::isDerivedClassConstructor] or Assertion failure: fun, at vm/Interpreter.cpp:5203 with Debugger
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla58
People
(Reporter: decoder, Assigned: jandem)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
1.77 KB,
patch
|
tcampbell
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 26516ba27081 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe):
var g = newGlobal();
g.parent = this;
g.eval("(" + function() {
var dbg = new Debugger(parent);
dbg.onExceptionUnwind = function(frame) {
frame.eval("this");
};
} + ")()");
new class extends class {} {
constructor() {}
}();
Backtrace:
received signal SIGSEGV, Segmentation fault.
JSFunction::isDerivedClassConstructor (this=this@entry=0x0) at js/src/jsfun.cpp:1334
#0 JSFunction::isDerivedClassConstructor (this=this@entry=0x0) at js/src/jsfun.cpp:1334
#1 0x00000000004fb05c in js::ThrowUninitializedThis (cx=0x7ffff6924000, frame=...) at js/src/vm/Interpreter.cpp:5206
#2 0x000000000050a8ce in Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:2755
#3 0x000000000050aca6 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:409
#4 0x000000000050cec8 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffff93f0) at js/src/vm/Interpreter.cpp:698
#5 0x000000000094dbec in EvaluateInEnv (pc=0x0, rval=..., lineno=1, filename=0xe304ad "debugger eval code", chars=..., frame=..., env=..., cx=0x7ffff6924000) at js/src/vm/Debugger.cpp:8218
#6 DebuggerGenericEval (cx=cx@entry=0x7ffff6924000, chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffff9bdc: JSTRAP_ERROR, value=..., dbg=0x7ffff6938000, envArg=..., iter=0x7fffffff9730) at js/src/vm/Debugger.cpp:8305
#7 0x000000000094e7aa in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff6924000, frame=..., frame@entry=..., chars=..., bindings=bindings@entry=..., options=..., status=@0x7fffffff9bdc: JSTRAP_ERROR, value=...) at js/src/vm/Debugger.cpp:8329
#8 0x000000000094ea23 in js::DebuggerFrame::evalMethod (cx=0x7ffff6924000, argc=1, vp=0x7ffff43f6288) at js/src/vm/Debugger.cpp:8986
#9 0x000000000050afce in js::CallJSNative (args=..., native=0x94e7c0 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6924000) at js/src/jscntxtinlines.h:293
#10 js::InternalCallOrConstruct (cx=0x7ffff6924000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:469
#11 0x00000000004fd9f8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:520
#12 Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:3064
#13 0x000000000050aca6 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:409
#14 0x000000000050b239 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:487
#15 0x000000000050bc42 in InternalCall (args=..., cx=0x7ffff6924000) at js/src/vm/Interpreter.cpp:514
#16 js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533
#17 0x0000000000956d25 in js::Call (rval=..., arg1=..., arg0=..., thisObj=<optimized out>, fval=..., cx=0x7ffff6924000) at js/src/vm/Interpreter.h:133
#18 js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff6938000, cx=cx@entry=0x7ffff6924000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1812
#19 0x00000000009570ab in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff6938000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1085
#20 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff6924000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1925
#21 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff6924000, frame=...) at js/src/vm/Debugger.cpp:1086
#22 0x00000000004fdfa7 in js::Debugger::onExceptionUnwind (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66
#23 HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1349
#24 Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:4293
#25 0x000000000050aca6 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:409
#26 0x000000000050cec8 in js::ExecuteKernel (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffb540) at js/src/vm/Interpreter.cpp:698
#27 0x000000000094dbec in EvaluateInEnv (pc=0x0, rval=..., lineno=1, filename=0xe304ad "debugger eval code", chars=..., frame=..., env=..., cx=0x7ffff6924000) at js/src/vm/Debugger.cpp:8218
#28 DebuggerGenericEval (cx=cx@entry=0x7ffff6924000, chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffffbd2c: JSTRAP_ERROR, value=..., dbg=0x7ffff6938000, envArg=..., iter=0x7fffffffb880) at js/src/vm/Debugger.cpp:8305
#29 0x000000000094e7aa in js::DebuggerFrame::eval (cx=cx@entry=0x7ffff6924000, frame=..., frame@entry=..., chars=..., bindings=bindings@entry=..., options=..., status=@0x7fffffffbd2c: JSTRAP_ERROR, value=...) at js/src/vm/Debugger.cpp:8329
#30 0x000000000094ea23 in js::DebuggerFrame::evalMethod (cx=0x7ffff6924000, argc=1, vp=0x7ffff43f6190) at js/src/vm/Debugger.cpp:8986
#31 0x000000000050afce in js::CallJSNative (args=..., native=0x94e7c0 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6924000) at js/src/jscntxtinlines.h:293
#32 js::InternalCallOrConstruct (cx=0x7ffff6924000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:469
#33 0x00000000004fd9f8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:520
#34 Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:3064
#35 0x000000000050aca6 in js::RunScript (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:409
#36 0x000000000050b239 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:487
#37 0x000000000050bc42 in InternalCall (args=..., cx=0x7ffff6924000) at js/src/vm/Interpreter.cpp:514
#38 js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:533
#39 0x0000000000956d25 in js::Call (rval=..., arg1=..., arg0=..., thisObj=<optimized out>, fval=..., cx=0x7ffff6924000) at js/src/vm/Interpreter.h:133
#40 js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff6938000, cx=cx@entry=0x7ffff6924000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1812
#41 0x00000000009570ab in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff6938000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1085
#42 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff6924000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1925
#43 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff6924000, frame=...) at js/src/vm/Debugger.cpp:1086
#44 0x00000000004fdfa7 in js::Debugger::onExceptionUnwind (frame=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66
#45 HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1349
#46 Interpret (cx=0x7ffff6924000, state=...) at js/src/vm/Interpreter.cpp:4293
[...]
#56 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8559
rax 0x0 0
rbx 0x7ffff6924000 140737330167808
rcx 0x0 0
rdx 0x7ffff6924000 140737330167808
rsi 0x7ffff430aca0 140737290218656
rdi 0x0 0
rbp 0x7fffffff92c0 140737488327360
rsp 0x7fffffff8b68 140737488325480
r8 0x3b 59
r9 0x7ffff420d000 140737289179136
r10 0x1d 29
r11 0x0 0
r12 0x7ffff6924020 140737330167840
r13 0x7fffffff8fc0 140737488326592
r14 0x1ad4720 28133152
r15 0x7ffff6924000 140737330167808
rip 0x820fb0 <JSFunction::isDerivedClassConstructor()>
=> 0x820fb0 <JSFunction::isDerivedClassConstructor()>: movzwl 0x22(%rdi),%eax
0x820fb4 <JSFunction::isDerivedClassConstructor()+4>: test $0x2,%ah
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•3 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) This iteration took 0.818 seconds to run.
Not sure who to needinfo? here, falling back to :jorendorff and :jandem.
|
Assignee | |
Comment 3•3 years ago
|
||
After shu left, not sure who's a good reviewer for this. The bug is in ThrowUninitializedThis. For debugger eval frames we look at the evalInFramePrev frame's scope (this is the frame in which the debugger is evaluating an expression). This works fine, except when we have a nested eval-in-frame. The fix is just to loop over evalInFramePrev until we get to a non-debugger-eval frame.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jorendorff)
Flags: needinfo?(jdemooij)
Attachment #8904564 -
Flags: review?(tcampbell)
|
||
Comment 4•3 years ago
|
||
Comment on attachment 8904564 [details] [diff] [review] Patch Review of attachment 8904564 [details] [diff] [review]: ----------------------------------------------------------------- Seems reasonable. We should double-check that https://searchfox.org/mozilla-central/rev/4d8e389498a08668cce9ebf6232cc96be178c3e4/js/src/vm/Stack.cpp#802 doesn't have same problem though.
Attachment #8904564 -
Flags: review?(tcampbell) → review+
|
||
Comment 5•3 years ago
|
||
I bet this fixes bug 1385844 as well.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Oops, I'll get this landed.
|
||
Updated•3 years ago
|
Priority: -- → P2
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6a54320bbbc0 Handle nested eval-in-frame better in ThrowUninitializedThis. r=tcampbell
|
|
Assignee | |
Comment 8•3 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #4) > Seems reasonable. We should double-check that > https://searchfox.org/mozilla-central/rev/ > 4d8e389498a08668cce9ebf6232cc96be178c3e4/js/src/vm/Stack.cpp#802 doesn't > have same problem though. The code there is okay AFAICS.
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6a54320bbbc0
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox58:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
|
||
Updated•3 years ago
|
status-firefox57:
--- → wontfix
status-firefox-esr52:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•