1901408 - Assertion failure: slot < debugNumValueSlots(), at /root/src/js/src/jit/BaselineFrame.h:156

Status: UNCONFIRMED

(Core :: JavaScript Engine, defect, P3)

Description

[Nils Bars]

Attachment: bug.js

Steps to reproduce:

Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:

/root/js-spidermonkey-shell  --fuzzing-safe  --fast-warmup <testcase>

Actual results:

Assertion failure: slot < debugNumValueSlots(), at /root/src/js/src/jit/BaselineFrame.h:156

Comment 1

[Jan de Mooij [:jandem]]

Test below fails with --fast-warmup.

I think the problem here is that the debugger is trying to take a debugger frame snapshot of a Baseline frame before stack slots have been pushed (from the stack overflow check => interrupt check).

let v0 = 0;
function f1() {
    if (v0++ < 10) {
        interruptIf(true);
        f1();
    }
    const dbg = newGlobal({newCompartment: true}).Debugger(this);
    dbg.getNewestFrame().older.eval("");
    return "";
}
setInterruptCallback(f1);
f1();

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The testcase does not reproduce with the latest debug js shell from FTP (2015-10-21) but reproduces with m-c rev a5887514ddfb (Feb 2022).

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Ian, thanks for fixing Debugger fuzzbugs recently, might this one be in your ballpark as well?

Comment 4

[Iain Ireland [:iain]]

This is a low-value bug to fix. Not only does it require the debugger, but it requires custom interrupt handlers, which don't exist outside the shell. I took a quick look at it to see if there's an easy and obvious fix, but I didn't spot anything. Bumping down the priority.