Closed Bug 1370905 Opened 7 years ago Closed 7 years ago

Assertion failure: !cx->isExceptionPending(), at js/src/jscntxtinlines.h:296 with Debugger and OOM

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox56 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

bug1370905-debugger-args
(deleted), patch
jimb
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 5801aa478de1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): var lfLogBuffer = ` var global = newGlobal(); global.eval('function f() { debugger; }'); var debug = new Debugger(global); function evalAndNoteScripts(prog) { debug.onDebuggerStatement = function(frame) { oomAfterAllocations(50); scripts.argument = frame.arguments[0].script; }; global.eval(prog); } var scripts = evalAndNoteScripts('f(f)'); `; loadFile(lfLogBuffer); function loadFile(lfVarx) { oomTest(new Function(lfVarx)); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000054040e in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xb059d0 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:296 #0 0x000000000054040e in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0xb059d0 <js::DebuggerFrame::argumentsGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:296 #1 0x00000000005351d3 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 #2 0x00000000005355e8 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515 #3 0x000000000053571d in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #4 0x00000000005358bc in js::CallGetter (cx=cx@entry=0x7ffff6924000, thisv=thisv@entry=..., getter=getter@entry=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:649 #5 0x0000000000b8c449 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff6924000) at js/src/vm/NativeObject.cpp:2019 #6 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff6924000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2067 #7 0x0000000000b8d17f in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff6924000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2298 #8 0x0000000000b8d960 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2332 #9 0x00000000005388d4 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1543 #10 0x00000000005237e9 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6924000) at js/src/jsobj.h:853 #11 js::GetProperty (cx=cx@entry=0x7ffff6924000, v=..., v@entry=..., name=..., name@entry=..., vp=vp@entry=...) at js/src/vm/Interpreter.cpp:4402 #12 0x0000000000809af1 in js::jit::ComputeGetPropResult (res=..., val=..., name=..., op=JSOP_GETPROP, frame=0x7fffffff9278, cx=0x7ffff6924000) at js/src/jit/SharedIC.cpp:2018 #13 js::jit::DoGetPropFallback (cx=0x7ffff6924000, frame=0x7fffffff9278, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2075 [...] #42 0x00000000005e8302 in EnterBaseline (cx=0xffff9390, data=...) at js/src/jit/BaselineJIT.cpp:162 Backtrace stopped: frame did not save the PC rax 0x0 0 rbx 0x7fffffff8c00 140737488325632 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff8a90 140737488325264 rsp 0x7fffffff8a40 140737488325184 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x0 0 r11 0x0 0 r12 0x7ffff6924000 140737330167808 r13 0x7fffffff8a50 140737488325200 r14 0xb059d0 11557328 r15 0x7fffffff8c00 140737488325632 rip 0x54040e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+414> => 0x54040e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+414>: movl $0x0,0x0 0x540419 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+425>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3". The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a
Jon, is bug 1239369 a likely regressor?
Blocks: 1239369
Flags: needinfo?(jcoppeard)
Attached patch bug1370905-debugger-args (deleted) — Splinter Review
Patch to check for failure in DebuggerFrame::getArguments.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #8881948 - Flags: review?(jimb)
No longer blocks: 1239369
Attachment #8881948 - Flags: review?(jimb) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6685b967780d Check for failure creating DebuggerArguments r=jimb
https://hg.mozilla.org/mozilla-central/rev/6685b967780d
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Is this worth backporting to Beta for 55 or should we let it ride the 56 train?
status-firefox54: --- → wontfix
status-firefox-esr52: --- → wontfix
Flags: needinfo?(jcoppeard)
Flags: in-testsuite+
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6) I'd say let it ride the trains.
Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: