Closed Bug 1527862 Opened 7 years ago Closed 7 years ago

Assertion failure: cx->jobQueue->empty(), at js/src/builtin/Promise.cpp:5182 with async and Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: gkw, Assigned: jimb)

References

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
13.56 KB, text/plain
Details
Bug 1527862: Use proper initialization condition in AutoDebuggerJobQueueInterruption destructor. r?arai
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision f0ea53f47215 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/tests/test262/language/arguments-object/cls-expr-async-gen-func-args-trailing-comma-multiple.js
f = async function*() {};
f().next().then();
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1254190.js
var g = newGlobal({ newCompartment: true });
var dbg = new Debugger(g);
oomTest(() => {
    g.eval("(function() {})");
});

Backtrace:

#0 JS::AutoDebuggerJobQueueInterruption::~AutoDebuggerJobQueueInterruption (this=0x7fff89d2bb78) at js/src/builtin/Promise.cpp:5182
#1 0x000055f0ffc12499 in js::Debugger::dispatchHook<js::Debugger::slowPathOnNewScript(JSContext*, JS::Handle<JSScript*>)::$_11(js::Debugger::slowPathOnNewScript(JSContext*, JS::Handle<JSScript*>)::$_12)> (cx=0x7f38b7217000, hookIsEnabled=..., fireHook=...) at js/src/vm/Debugger.cpp:2087
#2 js::Debugger::slowPathOnNewScript (cx=0x7f38b7217000, script=...) at js/src/vm/Debugger.cpp:2090
#3 0x000055f10019e87c in js::frontend::BytecodeEmitter::emitScript (this=0x7fff89d2be18, body=0x7f38b72e8220) at js/src/frontend/BytecodeEmitter.cpp:2477
#4 0x000055f1001c9561 in js::frontend::ScriptCompiler<char16_t>::compileScript (this=0x7fff89d2cc70, info=..., environment=..., sc=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:555
/snip

For detailed crash information, see attachment.

Setting [fuzzblocker] as this is being hit a lot.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/3ae9f2b94f97
user: Jim Blandy
date: Tue Feb 12 08:10:54 2019 +0000
summary: Bug 1145201: Use AutoDebuggerJobQueueInterruption in Debugger. r=jorendorff

Jim, is bug 1145201 a likely regressor?

Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]

Yes, that is almost certainly the regressor. I can reproduce this.

Assignee: nobody → jimb
Flags: needinfo?(jimb)

The assertion is complaining that the Debugger onNewScript hook didn't properly drain its microtask queue before returning. However, the call to AutoDebuggerJobQueueInterruption::runJobs is definitely made unconditionally after running the hook. Since this is an OOM test, I suspect that an OOM is preventing the job queue from draining completely.

The AutoDebuggerJobQueueInterruption destructor asserts that the Debugger has
properly managed its hooks' asynchronous jobs. But this assertion clearly only
applies when the AutoDebuggerJobQueueInterruption is properly initialized;
otherwise, the debuggee's job queue is still in place.

Unfortunately, the destructor was using the wrong test to determine whether the
debuggee's queue had been saved. This patch makes it uses the initialized
method, rather that checking the cx field, which is always initialized.

Status: NEW → ASSIGNED
Pushed by jblandy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fb6c0d850fa3 Use proper initialization condition in AutoDebuggerJobQueueInterruption destructor. r=arai

Backed out changeset fb6c0d850fa3 (Bug 1527862) for bustage in job-queue-04.js CLOSED TREE

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=fb6c0d850fa3bac79d61a81fd35346a309e5e5c7&selectedJob=229547696

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=229547696&repo=autoland&lineNumber=50424

Backout: Backed out changeset fb6c0d850fa3 (Bug 1527862) for bustage in job-queue-04.js CLOSED TREE

Flags: needinfo?(jimb)
Backout by nerli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e2990d679a3b Backed out changeset fb6c0d850fa3 for bustage in job-queue-04.js CLOSED TREE

https://hg.mozilla.org/mozilla-central/rev/fb6c0d850fa3

Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Backout by nbeleuzu@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/989d16d0f995 Backed out changeset fb6c0d850fa3 for bustage in job-queue-04.js CLOSED TREE

Oh, this is a dumb one: tests that use oomTest need to make sure it's defined.

Flags: needinfo?(jimb)
Status: RESOLVED → REOPENED
status-firefox67: fixedaffected
Resolution: FIXED → ---
Target Milestone: mozilla67 → ---

I've queued a fixed version of the patch to land.

Pushed by jblandy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6dea1af62279 Use proper initialization condition in AutoDebuggerJobQueueInterruption destructor. r=arai

https://hg.mozilla.org/mozilla-central/rev/6dea1af62279

Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: