Closed Bug 1532748 Opened 1 year ago Closed 1 year ago

Assertion failure: !cx->isExceptionPending(), at js/src/vm/Interpreter.cpp:443 with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: decoder, Assigned: loganfsmyth)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision fd67a4332060 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var global = newGlobal({newCompartment: true});
var dbg = Debugger(global);
dbg.onDebuggerStatement = onDebuggerStatement;
global.eval(`
  debugger;
  function f() {}
`);
function onDebuggerStatement(frame) {
  fScript = frame.script.getChildScripts()[0];
  fScript.getPossibleBreakpoints({ minLine: 6, line: 8 });
};

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  CallJSNative (cx=0x7ffff5f17000, native=0x555555a1d480 <DebuggerScript_getPossibleBreakpoints(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443
#1  0x00005555558ec0c7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:532
#2  0x00005555558ec7ed in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#3  0x00005555558de8f9 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:591
#4  Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3055
#5  0x00005555558ebb06 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
#6  0x00005555558ec38f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560
#7  0x00005555558ec7ed in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#8  0x00005555558ec980 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:603
#9  0x0000555555a69d83 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisObj=<optimized out>, arg0=arg0@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.h:106
#10 0x0000555555a3e526 in js::Debugger::fireDebuggerStatement (this=this@entry=0x7ffff5f97000, cx=<optimized out>, cx@entry=0x7ffff5f17000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1959
#11 0x0000555555a3edfa in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff5f97000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1142
#12 js::Debugger::dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff5f17000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:2117
#13 js::Debugger::slowPathOnDebuggerStatement (cx=0x7ffff5f17000, frame=...) at js/src/vm/Debugger.cpp:1143
#14 0x00005555558e7847 in js::Debugger::onDebuggerStatement (frame=..., frame@entry=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:84
#15 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3907
#16 0x00005555558ebb06 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
#17 0x00005555558ef08d in js::ExecuteKernel (cx=<optimized out>, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=0x7fffffffc5e0) at js/src/vm/Interpreter.cpp:779
#18 0x000055555592c329 in EvalKernel (cx=<optimized out>, cx@entry=0x7ffff5f17000, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., env=..., pc=pc@entry=0x0, vp=...) at js/src/builtin/Eval.cpp:327
#19 0x000055555592cb45 in js::IndirectEval (cx=cx@entry=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:425
#20 0x00005555558fa6a9 in CallJSNative (cx=0x7ffff5f17000, native=0x55555592ca90 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:440
#21 0x00005555558ec0c7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:532
#22 0x00005555558ec7ed in InternalCall (cx=cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#23 0x00005555558ec980 in js::Call (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:603
#24 0x0000555555e73a22 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff5f17000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:162
#25 0x0000555555e5dd83 in js::CrossCompartmentWrapper::call (this=0x555557bf4340 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:238
#26 0x0000555555e6a485 in js::Proxy::call (cx=0x7ffff5f17000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:503
#27 0x00005555558ec5b6 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:506
#28 0x00005555558ec7ed in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:587
#29 0x00005555558de8f9 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:591
#30 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3055
#31 0x00005555558ebb06 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:420
[...]
#40 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10966
rax	0x555557c3d280	93825033032320
rbx	0x7fffffffa800	140737488332800
rcx	0x555556b0d8a8	93825015011496
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffa530	140737488332080
rsp	0x7fffffffa4e0	140737488332000
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5f17000	140737319628800
r13	0x7fffffffa4f0	140737488332016
r14	0x7ffff5f7d800	140737320048640
r15	0x1	1
rip	0x5555558fa7bf <CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+703>
=> 0x5555558fa7bf <CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+703>:	movl   $0x0,0x0
   0x5555558fa7ca <CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+714>:	ud2

Steven, could you please have someone look into this? Will this be resolved by the 67 soft freeze (Mar 11)?

Flags: needinfo?(sdetar)

Neha, the fix for this bug will make Fx67

Flags: needinfo?(sdetar)
Flags: needinfo?(jorendorff)

Comment 2 was a mistake — Steven meant to say it will not make FF67.

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5c934ede1cfc
user:        Logan Smyth
date:        Wed Feb 13 02:31:00 2019 +0000
summary:     Bug 1518661 - Part 5: Give SpiderMonkey well-defined sense of step and breakpoint locations. r=jimb,bhackett

This iteration took 515.891 seconds to run.

Logan, is bug 1518661 a likely regressor?

Flags: needinfo?(lsmyth)

Yup! Patch incoming.

Assignee: nobody → lsmyth
Flags: needinfo?(lsmyth)
Flags: needinfo?(jorendorff)
Pushed by lsmyth@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0b05d8817659
Properly signal error in getPossibleBreakpoints error case. r=jorendorff
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.