Closed Bug 1565275 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(Association not found: 0x2c2f7cab43a0 0x10 DebuggerOnStepHandler) at js/src/gc/Zone.cpp:739

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Bug 1565275 - Don't call drop() on debugger handler that has never been associated with a frame object r=jimb?
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision ad05396bfeed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

Object.defineProperty(this, "fuzzutils", {
    value: {
        evaluate: function() {},
    }
});
var g = newGlobal({
    newCompartment: true
});
g.parent = this;
g.eval("(" + function() {
    var dbg = Debugger(parent);
    dbg.onEnterFrame = function(frame) {
        frame.onStep = function() {}
    }
} + ")()");
fuzzutils.evaluate();
oomTest(new Function());

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  MOZ_Crash (aReason=<optimized out>, aLine=<optimized out>, aFilename=<optimized out>) at dist/include/mozilla/Assertions.h:313
#1  js::gc::MemoryTracker::untrackMemory (this=<optimized out>, cell=0x2c2f7cab43a0, nbytes=16, use=<optimized out>) at js/src/gc/Zone.cpp:743
#2  0x0000555555a8fdff in js::FreeOp::free_ (this=<optimized out>, use=js::MemoryUse::DebuggerOnStepHandler, nbytes=16, p=0x7ffff5f1b260, cell=0x2c2f7cab43a0) at js/src/gc/FreeOp-inl.h:20
#3  js::FreeOp::delete_<js::ScriptedOnStepHandler> (nbytes=16, use=js::MemoryUse::DebuggerOnStepHandler, this=<optimized out>, p=0x7ffff5f1b260, cell=0x2c2f7cab43a0) at js/src/gc/FreeOp.h:110
#4  js::ScriptedOnStepHandler::drop (frame=0x2c2f7cab43a0, fop=<optimized out>, this=0x7ffff5f1b260) at js/src/vm/Debugger.cpp:9039
#5  js::DebuggerFrame::onStepSetter (cx=<optimized out>, cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:10376
#6  0x000055555590db8f in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555a8fc30 <js::DebuggerFrame::onStepSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
#7  0x0000555555904599 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f19000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:540
#8  0x0000555555904cdd in InternalCall (cx=0x7ffff5f19000, args=...) at js/src/vm/Interpreter.cpp:595
#9  0x0000555555904e50 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:611
#10 0x00005555559055b7 in js::CallSetter (cx=<optimized out>, thisv=..., thisv@entry=..., setter=..., setter@entry=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:749
#11 0x0000555555bde907 in SetExistingProperty (cx=<optimized out>, id=id@entry=..., v=..., v@entry=..., receiver=..., receiver@entry=..., pobj=..., pobj@entry=..., prop=..., prop@entry=..., result=...) at js/src/vm/NativeObject.cpp:2932
#12 0x0000555555bfcaf5 in js::NativeSetProperty<(js::QualifiedBool)1> (cx=<optimized out>, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/NativeObject.cpp:2961
#13 0x00005555558ff46d in js::SetProperty (result=..., receiver=..., v=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/ObjectOperations-inl.h:284
#14 SetPropertyOperation (rval=..., id=..., lval=..., op=<optimized out>, cx=0x7ffff5f19000) at js/src/vm/Interpreter.cpp:270
#15 Interpret (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:2853
#16 0x0000555555904016 in js::RunScript (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:425
#17 0x000055555590485f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f19000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:568
#18 0x0000555555904cdd in InternalCall (cx=0x7ffff5f19000, args=...) at js/src/vm/Interpreter.cpp:595
#19 0x0000555555904e50 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:611
#20 0x0000555555ab656b in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisObj=<optimized out>, arg0=arg0@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.h:106
#21 0x0000555555a7e5cd in js::Debugger::fireEnterFrame (this=this@entry=0x7ffff473f800, cx=<optimized out>, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:2249
#22 0x0000555555a9396e in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff473f800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:852
#23 js::Debugger::dispatchHook<js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., hookIsEnabled=..., cx=0x7ffff5f19000) at js/src/vm/Debugger.cpp:2342
#24 js::Debugger::slowPathOnEnterFrame (cx=<optimized out>, cx@entry=0x7ffff5f19000, frame=...) at js/src/vm/Debugger.cpp:853
#25 0x000055555590d768 in js::Debugger::onEnterFrame (cx=0x7ffff5f19000, frame=...) at js/src/vm/Debugger-inl.h:66
#26 0x00005555558f5d4f in Interpret (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:1856
#27 0x0000555555904016 in js::RunScript (cx=0x7ffff5f19000, state=...) at js/src/vm/Interpreter.cpp:425
#28 0x000055555590485f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f19000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:568
#29 0x0000555555904cdd in InternalCall (cx=0x7ffff5f19000, args=...) at js/src/vm/Interpreter.cpp:595
#30 0x0000555555904e50 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:611
#31 0x0000555555e5f27b in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2614
#32 0x0000555555c8f948 in RunIterativeFailureTest (cx=<optimized out>, cx@entry=0x7ffff5f19000, params=..., simulator=...) at js/src/builtin/TestingFunctions.cpp:2033
#33 0x0000555555c90111 in OOMTest (cx=cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:2214
#34 0x000055555590db8f in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555c90040 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#48 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11372
rax	0x555557e18180	93825034977664
rbx	0x555557e181a0	93825034977696
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffa4e0	140737488332000
rsp	0x7fffffffa440	140737488331840
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x0	0
r11	0x0	0
r12	0x7fffffffa460	140737488331872
r13	0x2c2f7cab43a0	48582466683808
r14	0x34	52
r15	0x10	16
rip	0x5555560dcaf0 <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+464>
=> 0x5555560dcaf0 <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+464>:	movl   $0x0,0x0
   0x5555560dcafb <js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, js::MemoryUse)+475>:	ud2
Type: task → defect

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/03e0de747d02
user: Jon Coppeard
date: Tue Jun 25 13:11:04 2019 +0100
summary: Bug 1564072 - Track malloc memory used by debugger objects r=jimb

Jon, is bug 1564072 a likely regressor?

Flags: needinfo?(jcoppeard)
Regressed by: 1564072
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Yes, sure is.

Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Priority: -- → P1

The changes made in bug changeset 03e0de747d02 assume that drop() is only called on handlers that have been succesfully set on a DebuggerFrame object, and attempt to remove the memory associated with that object. That logic fails if these are called due to an error during initialisation as is happening here. The patch changes a call to drop() to js_delete() and adds assertions that drop() is only called on handlers that are currently associated.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/27f5a7e925a2 Don't call drop() on debugger handler that has never been associated with a frame object r=jimb
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d4cbd9263a27 Don't call drop() on debugger handler that has never been associated with a frame object r=jimb

https://hg.mozilla.org/mozilla-central/rev/d4cbd9263a27

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Please nominate this for Beta approval when you get a chance.

status-firefox68: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: in-testsuite+

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
This bug is not present on beta. Patches from bug 1564072 are only present in FF70.

status-firefox69: affectedunaffected
Flags: needinfo?(jcoppeard)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: