1891598 - Assertion failure: isFunctionFrame(), at vm/Stack.h:588

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

var x = registerModule("1", parseModule("await 1"));
moduleLink(x);
moduleEvaluate(x);
var y = newGlobal({ newCompartment: true });
y.parent = this;
y.eval(
  "Debugger(parent).onEnterFrame = function () { \
    __proto__.return = 0; \
    return function () {}; \
  }; "
);

(gdb) bt
#0  js::InterpreterFrame::callee (this=<optimized out>) at /home/genxps15/trees/mozilla-central/js/src/vm/Stack.h:588
#1  0x0000555557293626 in js::Interpret (cx=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:4144
#2  0x0000555557279129 in MaybeEnterInterpreterTrampoline (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, state=...)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:393
#3  0x0000555557278ddf in js::RunScript (cx=cx@entry=0x7ffff6739100, state=...) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:451
#4  0x0000555557279770 in js::InternalCallOrConstruct (cx=0x7ffff6739100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:605
#5  0x000055555727a5cd in InternalCall (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, args=..., reason=1489488160,
    reason@entry=js::CallReason::Call) at /home/genxps15/trees/mozilla-central/js/src/vm/Interpreter.cpp:640
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/10f63f093070
user:        Jon Coppeard
date:        Tue Jul 05 13:04:55 2022 +0000
summary:     Bug 1778076 - Part 5: Replace ModuleObject methods with shell functions r=arai

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev fcfbb607fde2.

Setting s-s as a start, especially since previous bug 1681256 also involving Debugger with a virtually similar assertion failure was marked sec-moderate.

Jon, is bug 1778076 a likely regressor?

Comment 1

[Jon Coppeard (:jonco)]

(In reply to Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) from comment #0)

Jon, is bug 1778076 a likely regressor?
That added the shell funtions the test case calls, so likely pre-existing.

Comment 2

[Tooru Fujisawa [:arai]]

Attachment: Bug 1891598 - Do not assume function in JSOp::Resume. r?jonco!

Comment 3

[Tooru Fujisawa [:arai]]

This is wrong assumption about the frame in the assertion.
JSOp::Resume is used also by module script with TLA. so it shouldn't call InterpreterFrame::callee.
Also, the generator should be closed on all cases, so it should just assert isClosed.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1778076

Comment 5

[Tooru Fujisawa [:arai]]

This affects only debug build.
This can be opened up.

Comment 6

[Pulsebot]

Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/bc8377ba090e
Do not assume function in JSOp::Resume. r=jonco

Comment 7

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/bc8377ba090e