Closed Bug 1653492 Opened 4 years ago Closed 1 year ago

Crash [@ JS_GetReservedSlot] or Assertion failure: holder, at vm/Instrumentation.cpp:192 with Debugger

Categories

(Core :: JavaScript Engine, defect, P3)

x86_64
Linux
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox80 --- wontfix

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 20200717-f6127ce5c744 (opt build, run with --fuzzing-safe --ion-offthread-compile=off):

var g = newGlobal({
    newCompartment: true
});
var dbg = Debugger(g);
var gdbg = dbg.addDebuggee(g);
gdbg.setInstrumentation(gdbg.makeDebuggeeValue((kind, script, offset) => {}), ["breakpoint"]);
var g2 = newGlobal({
    newCompartment: true
});
g.cloneAndExecuteScript("debugger;", g2);

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055555582a5a0 in JS_GetReservedSlot(JSObject*, unsigned int) ()
#1  0x00005555558dcc48 in js::InstrumentationActiveOperation(JSContext*, JS::MutableHandle<JS::Value>) ()
#2  0x00005555557a0cd6 in Interpret(JSContext*, js::RunState&) ()
#3  0x00005555557923c4 in js::RunScript(JSContext*, js::RunState&) ()
#4  0x00005555557a36f5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) ()
#5  0x00005555558a9432 in JS::CloneAndExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) ()
#6  0x0000555555ac96e5 in ShellCloneAndExecuteScript(JSContext*, unsigned int, JS::Value*) ()
#7  0x00005555557a1f5b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#8  0x00005555557a29ce in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) ()
#9  0x000055555586b7a0 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ()
#10 0x000055555585d74c in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ()
#11 0x000055555586313c in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) ()
#12 0x00005555557a2120 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) ()
#13 0x000055555579b3a6 in Interpret(JSContext*, js::RunState&) ()
[...]
#20 0x000055555568a2c4 in main ()
rax	0x7ffc	32764
rbx	0x0	0
rcx	0x10	16
rdx	0xb3	179
rsi	0x0	0
rdi	0x0	0
rbp	0x7fffffffb450	140737488335952
rsp	0x7fffffffb438	140737488335928
r8	0x7ffff60650d0	140737320997072
r9	0x0	0
r10	0x0	0
r11	0x1b	27
r12	0x7fffffffb708	140737488336648
r13	0x7ffff6023000	140737320726528
r14	0x7fffffffb698	140737488336536
r15	0x7ffff6023028	140737320726568
rip	0x55555582a5a0 <JS_GetReservedSlot(JSObject*, unsigned int)>
=> 0x55555582a5a0 <_Z18JS_GetReservedSlotP8JSObjectj>:	mov    0x8(%rdi),%rax
   0x55555582a5a4 <_Z18JS_GetReservedSlotP8JSObjectj+4>:	movzbl 0x13(%rax),%eax
Attached file Testcase
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200717032756-f6127ce5c744. Failed to bisect testcase (Start build crashes!): > Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224) > End: f6127ce5c74439b7468a36c08941f3ab7210930f (20200717032756) > BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Ted, what is the status of Debugger.setInstrumentation? I only see uses of setInstrumentationBreakpoint, the rest is in our test suite.

Severity: -- → S4
Flags: needinfo?(tcampbell)
Priority: -- → P3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201205214636-cc2de07855f8) but not with tip (mozilla-central 20211203213802-92df9c655be5.)
The bug appears to have been fixed in the following build range:

Start: 7a6cb72f2bed46afaed6f7c9fda8faa5b4e4b861 (20210601010330)
End: e590eb34efc52ab109f2737167cb2aa0975a1792 (20210601013402)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7a6cb72f2bed46afaed6f7c9fda8faa5b4e4b861&tochange=e590eb34efc52ab109f2737167cb2aa0975a1792
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Depends on: 1624792

The setInstrumentation code is removed these days

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(tcampbell)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: