Crash [@ JS_GetReservedSlot] or Assertion failure: holder, at vm/Instrumentation.cpp:192 with Debugger
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox80 | --- | wontfix |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])
Crash Data
Attachments
(1 file)
289 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200717-f6127ce5c744 (opt build, run with --fuzzing-safe --ion-offthread-compile=off):
var g = newGlobal({
newCompartment: true
});
var dbg = Debugger(g);
var gdbg = dbg.addDebuggee(g);
gdbg.setInstrumentation(gdbg.makeDebuggeeValue((kind, script, offset) => {}), ["breakpoint"]);
var g2 = newGlobal({
newCompartment: true
});
g.cloneAndExecuteScript("debugger;", g2);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x000055555582a5a0 in JS_GetReservedSlot(JSObject*, unsigned int) ()
#1 0x00005555558dcc48 in js::InstrumentationActiveOperation(JSContext*, JS::MutableHandle<JS::Value>) ()
#2 0x00005555557a0cd6 in Interpret(JSContext*, js::RunState&) ()
#3 0x00005555557923c4 in js::RunScript(JSContext*, js::RunState&) ()
#4 0x00005555557a36f5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#5 0x00005555558a9432 in JS::CloneAndExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#6 0x0000555555ac96e5 in ShellCloneAndExecuteScript(JSContext*, unsigned int, JS::Value*) ()
#7 0x00005555557a1f5b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8 0x00005555557a29ce in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#9 0x000055555586b7a0 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ()
#10 0x000055555585d74c in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ()
#11 0x000055555586313c in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) ()
#12 0x00005555557a2120 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#13 0x000055555579b3a6 in Interpret(JSContext*, js::RunState&) ()
[...]
#20 0x000055555568a2c4 in main ()
rax 0x7ffc 32764
rbx 0x0 0
rcx 0x10 16
rdx 0xb3 179
rsi 0x0 0
rdi 0x0 0
rbp 0x7fffffffb450 140737488335952
rsp 0x7fffffffb438 140737488335928
r8 0x7ffff60650d0 140737320997072
r9 0x0 0
r10 0x0 0
r11 0x1b 27
r12 0x7fffffffb708 140737488336648
r13 0x7ffff6023000 140737320726528
r14 0x7fffffffb698 140737488336536
r15 0x7ffff6023028 140737320726568
rip 0x55555582a5a0 <JS_GetReservedSlot(JSObject*, unsigned int)>
=> 0x55555582a5a0 <_Z18JS_GetReservedSlotP8JSObjectj>: mov 0x8(%rdi),%rax
0x55555582a5a4 <_Z18JS_GetReservedSlotP8JSObjectj+4>: movzbl 0x13(%rax),%eax
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Ted, what is the status of Debugger.setInstrumentation
? I only see uses of setInstrumentationBreakpoint
, the rest is in our test suite.
Updated•4 years ago
|
Comment 4•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201205214636-cc2de07855f8) but not with tip (mozilla-central 20211203213802-92df9c655be5.)
The bug appears to have been fixed in the following build range:
Start: 7a6cb72f2bed46afaed6f7c9fda8faa5b4e4b861 (20210601010330)
End: e590eb34efc52ab109f2737167cb2aa0975a1792 (20210601013402)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a6cb72f2bed46afaed6f7c9fda8faa5b4e4b861&tochange=e590eb34efc52ab109f2737167cb2aa0975a1792
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 5•1 year ago
|
||
The setInstrumentation
code is removed these days
Description
•