Closed
Bug 1344673
Opened 8 years ago
Closed 7 years ago
Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:285 with OOM and Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1370905
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 80c06df83395 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off):
var g = newGlobal();
var dbg = Debugger(g);
dbg.onDebuggerStatement = function(frame) {
oomAfterAllocations(5);
farguments = frame.arguments;
};
g.eval("function f(x) { debugger; h(); }");
g.f(100);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x08174f34 in js::CallJSNative (cx=0xf793a800, native=0x86e5810 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:285
#0 0x08174f34 in js::CallJSNative (cx=0xf793a800, native=0x86e5810 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:285
#1 0x0816b032 in js::InternalCallOrConstruct (cx=0xf793a800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:448
#2 0x0816b41d in InternalCall (cx=cx@entry=0xf793a800, args=...) at js/src/vm/Interpreter.cpp:493
#3 0x0816b5ab in js::Call (cx=0xf793a800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:512
#4 0x0816b693 in js::CallGetter (cx=0xf793a800, thisv=..., getter=..., rval=...) at js/src/vm/Interpreter.cpp:627
#5 0x087675c5 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.cpp:1806
#6 GetExistingProperty<(js::AllowGC)1> (cx=0xf793a800, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1854
#7 0x08768238 in NativeGetPropertyInline<(js::AllowGC)1> (cx=0xf793a800, obj=..., receiver=..., id=..., nameLookup=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2085
#8 0x08768947 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2119
#9 0x0816e243 in js::GetProperty (cx=0xf793a800, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1435
#10 0x0815c90d in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0xf793a800) at js/src/jsobj.h:845
#11 js::GetProperty (cx=0xf793a800, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4309
#12 0x0815f022 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:192
#13 Interpret (cx=0xf793a800, state=...) at js/src/vm/Interpreter.cpp:2671
#14 0x0816ac1c in js::RunScript (cx=0xf793a800, state=...) at js/src/vm/Interpreter.cpp:394
#15 0x0816b157 in js::InternalCallOrConstruct (cx=0xf793a800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:466
#16 0x0816b41d in InternalCall (cx=cx@entry=0xf793a800, args=...) at js/src/vm/Interpreter.cpp:493
#17 0x0816b5ab in js::Call (cx=0xf793a800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:512
#18 0x0866858d in js::Call (cx=0xf793a800, fval=..., thisObj=0xf55710d0, arg0=..., rval=...) at js/src/vm/Interpreter.h:114
#19 0x086e9676 in js::Debugger::fireDebuggerStatement (this=0xf794a000, cx=0xf793a800, vp=...) at js/src/vm/Debugger.cpp:1787
#20 0x086e9b69 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0xf794a000, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1026
#21 js::Debugger::dispatchHook<js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnDebuggerStatement(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0xf793a800, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1928
#22 js::Debugger::slowPathOnDebuggerStatement (cx=0xf793a800, frame=...) at js/src/vm/Debugger.cpp:1027
#23 0x0816738b in js::Debugger::onDebuggerStatement (frame=frame@entry=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:58
#24 Interpret (cx=0xf793a800, state=...) at js/src/vm/Interpreter.cpp:3810
#25 0x0816ac1c in js::RunScript (cx=0xf793a800, state=...) at js/src/vm/Interpreter.cpp:394
[...]
#47 main (argc=4, argv=0xffffd8a4, envp=0xffffd8b8) at js/src/shell/js.cpp:8436
eax 0x0 0
ebx 0x8cfdff4 147841012
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0xffffbb10 -17648
edi 0xf793ad0c -141316852
ebp 0xffffb9b8 4294949304
esp 0xffffb970 4294949232
eip 0x8174f34 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+436>
=> 0x8174f34 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+436>: movl $0x0,0x0
0x8174f3e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+446>: ud2
This goes back since prior to Jan 2015 (m-c rev bcacb5692ad9). As this involves Debugger, Jim, how do you think we should move this forward?
Flags: needinfo?(jimb)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Comment 2•7 years ago
|
||
I can reproduce this in 80c06df83395 but not on current M-C. Bisecting to see where it was fixed.
Flags: needinfo?(jimb)
|
|
||
Comment 3•7 years ago
|
||
This bug is a dupe of bug 1370905, fixed in 6685b967780d.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•