1576862 - Assertion failure: false (cx->getPendingException(&exception)), at js/src/debugger/Debugger.cpp:1800 or MOZ_CRASH with Compartment mismatch

Status: RESOLVED DUPLICATE of bug 1565278

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision c75d6a0539eb (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var yield = undefined;
var evalInFrame = (function evalInFrame(global) {
    var dbgGlobal = newGlobal({
        newCompartment: true
    });
    var dbg = new dbgGlobal.Debugger();
    return function evalInFrame(upCount, code) {
        dbg.addDebuggee(global);
        var frame = dbg.getNewestFrame().older;
        for (; evalInFrame("function w(){}") ;)
          frame = frame.older;
    };
})(this);
evalInFrame(true == (this), "a.push(1)");

Backtrace:

received signal SIGSEGV, Segmentation fault.
js::Completion::fromJSResult (cx=<optimized out>, ok=ok@entry=false, rv=...) at js/src/debugger/Debugger.cpp:1800
#0  js::Completion::fromJSResult (cx=<optimized out>, ok=ok@entry=false, rv=...) at js/src/debugger/Debugger.cpp:1800
#1  0x0000555555e19456 in js::Completion::fromJSFramePop (cx=<optimized out>, frame=..., pc=pc@entry=0x7ffff5f8d51a ":\001", ok=ok@entry=false) at js/src/debugger/Debugger.cpp:1815
#2  0x0000555555e396a8 in js::DebugAPI::slowPathOnLeaveFrame (cx=<optimized out>, cx@entry=0x7ffff5f23000, frame=..., pc=pc@entry=0x7ffff5f8d51a ":\001", frameOk=frameOk@entry=false) at js/src/debugger/Debugger.cpp:936
#3  0x00005555558eeec3 in js::DebugAPI::onLeaveFrame (cx=0x7ffff5f23000, frame=..., pc=0x7ffff5f8d51a ":\001", ok=false) at js/src/debugger/DebugAPI-inl.h:91
#4  0x00005555563aac68 in js::jit::HandleExceptionBaseline (rfe=0x7fffffdfe500, prevFrame=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:527
#5  js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:685
#6  0x0000086830155146 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x555557d10120	93825033896224
rbx	0x7fffffdfdce0	140737486249184
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x555556cddd88	93825016913288
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffdfda60	140737486248544
rsp	0x7fffffdfd9e0	140737486248416
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffdfda00	140737486248448
r13	0x7fffffdfda20	140737486248480
r14	0x7fffffdfd9e8	140737486248424
r15	0x7fffffdfdc60	140737486249056
rip	0x555555e193d4 <js::Completion::fromJSResult(JSContext*, bool, JS::Value const&)+388>
=> 0x555555e193d4 <js::Completion::fromJSResult(JSContext*, bool, JS::Value const&)+388>:	movl   $0x0,0x0
   0x555555e193df <js::Completion::fromJSResult(JSContext*, bool, JS::Value const&)+399>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/f0aa53a43409
user:        Jim Blandy
date:        Sun Jul 07 17:03:57 2019 +0000
summary:     Bug 1470558: Distinguish yields and awaits in completion values. r=jorendorff

This iteration took 462.071 seconds to run.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Jim, is bug 1470558 a likely regressor?

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

Following up in email with jimb. ´

Comment 4

[Jim Blandy :jimb]

Hi - sorry. I'm looking into this, as a top priority.

Comment 5

[Jim Blandy :jimb]

I believe this is a duplicate of bug 1565278. The patch I have for that bug also stops this bug's test case from crashing.