1887305 - Assertion failure: environment->isDebuggee(), at debugger/Environment.cpp:532

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

var x = newGlobal();
x.eval("function f() { debugger; }");
var y = Debugger(x);
function g(z) {
  z[Symbol.toPrimitive] = g;
  try {
    z.environment.find(z);
  } catch (e) {}
  y.removeDebuggee(x);
}
y.onDebuggerStatement = g;
for (var m of x.f()) {
}

(gdb) bt
#0  js::DebuggerEnvironment::find (cx=0x7ffff6b39100, environment=..., id=id@entry=..., result=result@entry=...) at /home/skymainubu/trees/mozilla-central/js/src/debugger/Environment.cpp:532
#1  0x00005555579d2d05 in js::DebuggerEnvironment::CallData::findMethod (this=this@entry=0x7fffffffb490) at /home/skymainubu/trees/mozilla-central/js/src/debugger/Environment.cpp:302
#2  0x00005555579f0e8d in js::DebuggerEnvironment::CallData::ToNative<&js::DebuggerEnvironment::CallData::findMethod> (cx=cx@entry=0x7ffff6b39100, argc=<optimized out>, vp=<optimized out>) at /home/skymainubu/trees/mozilla-central/js/src/debugger/Environment.cpp:140
#3  0x00005555572a2e85 in CallJSNative (cx=cx@entry=0x7ffff6b39100, native=native@entry=0x5555579f0dc0 <js::DebuggerEnvironment::CallData::ToNative<&js::DebuggerEnvironment::CallData::findMethod>(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:479
#4  0x000055555727b40a in js::InternalCallOrConstruct (cx=0x7ffff6b39100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:573
#5  0x000055555727c17d in InternalCall (cx=0x7ffff7beda60 <_IO_stdfile_2_lock>, args=..., reason=1489453936) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:640
#6  0x000055555728aec8 in js::CallFromStack (cx=0x7ffff7beda60 <_IO_stdfile_2_lock>, args=..., reason=<optimized out>) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:645
#7  js::Interpret (cx=0x7ffff6b39100, state=...) at /home/skymainubu/trees/mozilla-central/js/src/vm/Interpreter.cpp:3060
/snip

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 5d6efea5e0bb.

This seems to go as far back as 3 months ago, I'll keep trying to bisect. Let me know if this is a benign OOM issue.

Setting s-s to be safe.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The testcase does not reproduce with the latest debug js shell from FTP (2015-10-21) as --more-compartments was not available then but reproduces with m-c rev a5887514ddfb (Feb 2022).

I'm going to take a guess - since this has lots of debugger stuff, I'll set a needinfo? for Jan to take a look as a start.

Comment 2

[Jan de Mooij [:jandem]]

This is an argument evaluation order issue in some debugger functions.

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Bug 1887305 - Move ValueToIdentifier call before requireDebuggee check. r?iain!

ValueToIdentifier can invoke JS code that removes the debuggee, so we have to reorder these operations.

Comment 4

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/55aaac6352fb
Move ValueToIdentifier call before requireDebuggee check. r=iain

Comment 5

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/55aaac6352fb