Closed
Bug 1479429
Opened 7 years ago
Closed 7 years ago
Crash [@ js::GetSuccessorBytecodes] or various assertions with Debugger
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
2.79 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 0be4463d2915 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing, run with --fuzzing-safe --ion-offthread-compile=off min.js):
var scripts = ["n = 1", ];
var g = newGlobal();
for (var n in scripts) {
g.eval("function f" + n + "() { " + scripts[n] + " }");
var dbg = Debugger(g);
dbg.onDebuggerStatement = function(frame) {
var script = frame.eval("f" + n).return.script;
var worklist = [script.mainOffset];
while (worklist.length) {
var offset = worklist.pop();
var succs = script.getSuccessorOffsets(offset);
worklist.push(0x00400000);
}
}
};
g.eval("debugger");
Backtrace:
==23622==ERROR: AddressSanitizer: SEGV on unknown address 0x6040004072a8 (pc 0x0000016e634c bp 0x7ffc877379d0 sp 0x7ffc87737970 T0)
==23622==The signal is caused by a READ memory access.
#0 0x16e634b in js::GetSuccessorBytecodes(unsigned char*, mozilla::Vector<unsigned char*, 4ul, js::SystemAllocPolicy>&) js/src/vm/BytecodeUtil.cpp:2996:21
#1 0x1889286 in DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher::match(JS::Handle<JSScript*>) js/src/vm/Debugger.cpp:6146:18
#2 0x1889882 in DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher::match(JS::Handle<js::LazyScript*>) js/src/vm/Debugger.cpp:6171:16
#3 0x1889882 in DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher::ReturnType JS::detail::GCVariantImplementation<js::LazyScript*, js::WasmInstanceObject*>::match<DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher, mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*> >(DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher&, JS::MutableHandle<mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*> >) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/instrumentation/asan/type/opt/dist/include/js/GCVariant.h:102
#4 0x1837031 in DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher::ReturnType JS::detail::GCVariantImplementation<JSScript*, js::LazyScript*, js::WasmInstanceObject*>::match<DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher, mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*> >(DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher&, JS::MutableHandle<mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*> >) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/instrumentation/asan/type/opt/dist/include/js/GCVariant.h:104:16
#5 0x1837031 in DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher::ReturnType js::MutableWrappedPtrOperations<mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*>, JS::Rooted<mozilla::Variant<JSScript*, js::LazyScript*, js::WasmInstanceObject*> > >::match<DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher>(DebuggerScriptGetSuccessorOrPredecessorOffsetsMatcher&) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/instrumentation/asan/type/opt/dist/include/js/GCVariant.h:182
#6 0x1837031 in DebuggerScript_getSuccessorOrPredecessorOffsets(JSContext*, unsigned int, JS::Value*, char const*, bool) js/src/vm/Debugger.cpp:6193
#7 0x93c470 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:444:15
#8 0x93c470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:532
#9 0x918267 in js::CallFromStack(JSContext*, JS::CallArgs const&) js/src/vm/Interpreter.cpp:589:12
#10 0x918267 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3239
#11 0x90a061 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:12
#12 0x93cbdf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:556:15
#13 0x93e122 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:602:10
#14 0x173e97e in js::Call(JSContext*, JS::Handle<JS::Value>, JSObject*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.h:112:12
#15 0x173e97e in js::Debugger::fireDebuggerStatement(JSContext*, JS::MutableHandle<JS::Value>) js/src/vm/Debugger.cpp:1787
#16 0x17323b3 in js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::$_5::operator()(js::Debugger*) const js/src/vm/Debugger.cpp:1042:25
#17 0x17323b3 in js::ResumeMode js::Debugger::dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::$_4, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::$_5>(JSContext*, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::$_4, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::$_5) js/src/vm/Debugger.cpp:1924
#18 0x17323b3 in js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr) js/src/vm/Debugger.cpp:1038
#19 0x920e88 in js::Debugger::onDebuggerStatement(JSContext*, js::AbstractFramePtr) js/src/vm/Debugger-inl.h:58:12
#20 0x920e88 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:4111
#21 0x90a061 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:12
#22 0x940cf1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:772:15
#23 0x9e18bb in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:318:12
#24 0x9e0f7c in js::IndirectEval(JSContext*, unsigned int, JS::Value*) js/src/builtin/Eval.cpp:410:12
#25 0x93c470 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:444:15
[...]
#44 0x45fa38 in _start (/home/ubuntu/build/dist/bin/js+0x45fa38)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/vm/BytecodeUtil.cpp:2996:21 in js::GetSuccessorBytecodes(unsigned char*, mozilla::Vector<unsigned char*, 4ul, js::SystemAllocPolicy>&)
==23622==ABORTING
For some reason this only crashes if I run it in an ASan build.
|
||
Comment 2•7 years ago
|
||
In bug 1479391 nbp made the following comment which I believe applies here also:
(Comment from nbp)
Usually "debugger" test cases have a lower priority for us.
However, knowing that Jason work in a similar area recently, this might be
related.
Note: Crash-stat results are unlikely to be only the result of similar test
cases.
Flags: needinfo?(sdetar) → needinfo?(jorendorff)
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 3•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
Assignee | |
Comment 4•7 years ago
|
||
Smaller:
var g = newGlobal();
var dbg = Debugger(g);
dbg.onDebuggerStatement = function(frame) {
frame.script.getSuccessorOffsets(0x400000);
}
g.eval("debugger");
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attachment #8998993 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(jorendorff)
|
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Updated•7 years ago
|
Attachment #8998993 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Updated•7 years ago
|
Priority: -- → P1
|
Reporter | |
Updated•7 years ago
|
Summary: Crash [@ js::GetSuccessorBytecodes] with Debugger → Crash [@ js::GetSuccessorBytecodes] or various assertions with Debugger
|
|
Assignee | |
Comment 6•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d7298a19ae439cd34380166828584051c40a3cb3
Bug 1479429 - Add a range check for the argument to Debugger.Script.prototype.get{Predecessor,Successor}Offsets. r=bhackett
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•7 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•