Closed Bug 1564230 Opened 5 years ago Closed 5 years ago

Assertion failure: isExceptionPending(), at js/src/vm/JSContext.cpp:1215 with Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: gkw, Assigned: jimb)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update,ignore] [debugger-mvp] )

Attachments

(2 files)

Detailed Crash Information
16.67 KB, text/plain
Details
Bug 1564230: Properly report OOM from js::DebugEnvironments::updateLiveEnvironments. r?jorendorff
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 7b346e25734f (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
options("strict_mode");
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/bug-1292564.js
oomTest(function () {
    g = newGlobal({
        sameZoneAs: this
    });
    Debugger(g).onDebuggerStatement = function(frame) {
        frame.eval("");
    };
    g.eval("debugger");
});

Backtrace:

#0  JSContext::alreadyReportedError (this=0x7fe1cb417000) at js/src/vm/JSContext.cpp:1215
#1  0x000055a3911c2649 in DebuggerGenericEval (cx=0x7fe1cb417000, chars=..., bindings=..., options=..., dbg=0x7fe1cac6f800, envArg=..., iter=0x7ffd0514ac00) at js/src/vm/Debugger.cpp:9760
#2  0x000055a3911c2060 in js::DebuggerFrame::eval (cx=0x7fe1cb417000, frame=..., chars=..., bindings=..., options=...) at js/src/vm/Debugger.cpp:9828
#3  0x000055a3911c85a5 in js::DebuggerFrame::evalMethod (cx=0x7fe1cb417000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:10423
#4  0x000055a391035f45 in CallJSNative (cx=0x7fe1cb417000, native=0x55a3911c8280 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4f26d027343a
user: Jim Blandy
date: Sun Jul 07 09:47:52 2019 +0000
summary: Bug 1470558: Use Completion type for Debugger eval-related methods. r=jorendorff

Jim, is bug 1470558 a likely regressor?

Flags: needinfo?(jimb)
Regressed by: 1470558
Summary: Assertion failure: isExceptionPending(), at js/src/vm/JSContext.cpp:1215 → Assertion failure: isExceptionPending(), at js/src/vm/JSContext.cpp:1215 with Debugger
Type: task → defect

Steven, can you help find an owner for this bug / assign a priority? Thanks!

Flags: needinfo?(sdetar)

Jason, could you help triage this bug and help find a good owner to look at it?

Flags: needinfo?(sdetar) → needinfo?(jorendorff)
Flags: needinfo?(jorendorff)
Priority: -- → P1

I can reproduce this. Taking.

Assignee: nobody → jimb
Flags: needinfo?(jimb)

Got distracted by other things; picking this up again.

Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 8 is incorrect, I can still reproduce with m-c rev efe4a620841c .

Hi Jim - can you please give an update on this, it's marked as a P1 for FF70.

Flags: needinfo?(jimb)

I believe this is a duplicate of bug 1565278, but I'm having a little trouble reproducing this at the moment. I have a fix for that bug, so I should be able to resolve this tomorrow (Tuesday).

Flags: needinfo?(jimb)

This is not a duplicate of bug 1565278, but I can reproduce the bug.

It looks easy to fix. (Famous last words.)

I don't have a test for this that doesn't take several minutes to pass, and the
change seems too obvious to require a test.

Pushed by jblandy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c6aac8e24622
Properly report OOM from js::DebugEnvironments::updateLiveEnvironments. r=jorendorff

https://hg.mozilla.org/mozilla-central/rev/c6aac8e24622

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Is there a user impact which justifies backport consideration here or can this ride with Fx71 to release?

status-firefox69: --- → wontfix
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(jimb)
Flags: in-testsuite-
Blocks: dbg-71
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore] [debugger-mvp]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #16)

Is there a user impact which justifies backport consideration here or can this ride with Fx71 to release?

No, there is no urgent user impact.

Flags: needinfo?(jimb)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: