The following testcase crashes on mozilla-central revision 9746e0a0a81c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): oomTest(new Function(` var g = newGlobal(); var dbg = new Debugger(); var gw = dbg.addDebuggee(g); assertEq(gw.executeInGlobal("(42).toString(0)").throw.errorMessageName, "JSMSG_BAD_RADIX"); for (let arg of Args) dbg(); `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00000000004710c0 in js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:748 #0 0x00000000004710c0 in js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:748 #1 js::gc::Cell::address (this=0x0) at js/src/gc/Cell.h:223 #2 js::gc::TenuredCell::arena (this=0x0) at js/src/gc/Cell.h:312 #3 0x00000000009efb50 in js::gc::TenuredCell::zoneFromAnyThread (this=0x0) at js/src/gc/Cell.h:340 #4 JSCompartment::wrap (this=<optimized out>, cx=0x7ffff5f16000, strp=..., strp@entry=...) at js/src/jscompartment.cpp:334 #5 0x0000000000b1109c in js::DebuggerObject::getErrorMessageName (cx=cx@entry=0x7ffff5f16000, object=..., object@entry=..., result=...) at js/src/vm/Debugger.cpp:10223 #6 0x0000000000b111cb in js::DebuggerObject::errorMessageNameGetter (cx=cx@entry=0x7ffff5f16000, argc=argc@entry=0, vp=vp@entry=0x7fffffffbeb0) at js/src/vm/Debugger.cpp:9162 #7 0x00000000008ee0d4 in js::jit::CallNativeGetter (cx=0x7ffff5f16000, callee=..., obj=..., result=...) at js/src/jit/VMFunctions.cpp:1554 #8 0x00002dc34d0b0167 in ?? () [...] #38 0x0000000000000000 in ?? () rax 0x0 0 rbx 0xf5f16001 4126236673 rcx 0x0 0 rdx 0x7fffffffbd01 140737488338177 rsi 0x7ffff5f16000 140737319624704 rdi 0x0 0 rbp 0x7fffffffbc00 140737488337920 rsp 0x7fffffffbc00 140737488337920 r8 0x7fffffffbd00 140737488338176 r9 0x8 8 r10 0x7fffffffbf48 140737488338760 r11 0xfff9800000000000 -1829587348619264 r12 0x7ffff5f2d000 140737319718912 r13 0x0 0 r14 0x7fffffffbd68 140737488338280 r15 0x7fffffffbdb0 140737488338352 rip 0x4710c0 <js::gc::TenuredCell::arena() const+80> => 0x4710c0 <js::gc::TenuredCell::arena() const+80>: cmpq $0x0,0xffff0(%rcx) 0x4710c8 <js::gc::TenuredCell::arena() const+88>: je 0x4710e0 <js::gc::TenuredCell::arena() const+112> Most likely not s-s because the OOM is in Debugger.

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160406195351" and the hash "4f662b15f40b63818e4c0bf707c434f82321deb4". The "bad" changeset has the timestamp "20160406195952" and the hash "4b76e05f7ecf45a4a6877517f27c3d4d067802cd". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f662b15f40b63818e4c0bf707c434f82321deb4&tochange=4b76e05f7ecf45a4a6877517f27c3d4d067802cd

Jim, is bug 1261904 a likely regressor?

Yes. I can reproduce.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision dc70d241f90d).

JSBugMon: Fix Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160406195351" and the hash "4f662b15f40b63818e4c0bf707c434f82321deb4". The "bad" changeset has the timestamp "20160406195952" and the hash "4b76e05f7ecf45a4a6877517f27c3d4d067802cd". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4f662b15f40b63818e4c0bf707c434f82321deb4&tochange=4b76e05f7ecf45a4a6877517f27c3d4d067802cd

This is an automated crash issue comment: Summary: Crash [@ js::gc::Chunk::withinValidRange] Build version: mozilla-central revision 23885c14f025 Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize Runtime options: --fuzzing-safe --ion-offthread-compile=off Testcase: let g = newGlobal(); var lfLogBuffer = ` evaluate(""); var dbg = new Debugger(); var gw = dbg.addDebuggee(g); gw.executeInGlobal("(42).toString(0)").throw.errorMessageName const Args = [] `; loadFile(lfLogBuffer); loadFile(lfLogBuffer); function loadFile(lfVarx) { oomTest(function() { eval(lfVarx); }); } Backtrace: received signal SIGSEGV, Segmentation fault. #0 js::gc::Chunk::withinValidRange (addr=0) at js/src/gc/Heap.h:731 #1 js::gc::Cell::address (this=0x0) at js/src/gc/Cell.h:234 #2 js::gc::TenuredCell::arena (this=this@entry=0x0) at js/src/gc/Cell.h:333 #3 0x0000000000adc38d in js::gc::TenuredCell::zoneFromAnyThread (this=<optimized out>) at js/src/gc/Cell.h:361 #4 JSString::zoneFromAnyThread (this=0x0) at js/src/vm/StringType.h:572 #5 JS::Compartment::wrap (this=0x7ffff487f660, cx=0x7ffff5f17000, strp=...) at js/src/vm/Compartment.cpp:151 #6 0x0000000000af34af in js::DebuggerObject::getErrorMessageName (cx=<optimized out>, object=..., object@entry=..., result=...) at js/src/vm/Debugger.cpp:10162 #7 0x0000000000af4ae9 in js::DebuggerObject::errorMessageNameGetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:9103 #8 0x00000000005ba1f7 in CallJSNative (cx=0x7ffff5f17000, native=0xaf4a50 <js::DebuggerObject::errorMessageNameGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:443 #9 0x00000000005aead7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:531 #10 0x00000000005af0fd in InternalCall (cx=cx@entry=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:582 #11 0x00000000005af280 in js::Call (cx=cx@entry=0x7ffff5f17000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:601 #12 0x00000000005af448 in js::CallGetter (cx=0x7ffff5f17000, thisv=..., thisv@entry=..., getter=..., getter@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:721 #13 0x0000000000bf1aa8 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.cpp:2140 #14 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff5f17000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:2197 #15 0x0000000000bf5bb5 in NativeGetPropertyInline<(js::AllowGC)1> (cx=<optimized out>, cx@entry=0x7ffff5f17000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2406 #16 0x0000000000bf6360 in js::NativeGetProperty (cx=cx@entry=0x7ffff5f17000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2442 #17 0x00000000005b7734 in js::GetProperty (cx=0x7ffff5f17000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1688 #18 0x000000000059bcfe in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=<optimized out>) at js/src/vm/JSObject.h:787 #19 js::GetProperty (cx=<optimized out>, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4527 #20 0x00000000005a25a4 in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=0x7ffff5f17000) at js/src/vm/Interpreter.cpp:217 #21 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:2912 #22 0x00000000005ae5f6 in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:423 #23 0x00000000005b195d in js::ExecuteKernel (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:771 #24 0x00000000005ea3b0 in EvalKernel (cx=0x7ffff5f17000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:319 #25 0x00000000005eabbe in js::DirectEval (cx=<optimized out>, v=..., vp=...) at js/src/builtin/Eval.cpp:427 #26 0x000000000069a683 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffbec8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffbe78, res=...) at js/src/jit/BaselineIC.cpp:2641 #27 0x00003251409f828c in ?? () [...] #59 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0x0 0 rsi 0x7ffff5f17000 140737319628800 rdi 0x0 0 rbp 0x7fffffffa090 140737488330896 rsp 0x7fffffffa080 140737488330880 r8 0x7ffff488b1a0 140737295987104 r9 0x19 25 r10 0x4 4 r11 0x0 0 r12 0x7ffff5f17000 140737319628800 r13 0x7ffff487f660 140737295939168 r14 0x7fffffffa228 140737488331304 r15 0x7fffffffa270 140737488331376 rip 0x4d6e8c <js::gc::TenuredCell::arena() const+44> => 0x4d6e8c <js::gc::TenuredCell::arena() const+44>: cmpq $0x0,0xffff0(%rax) 0x4d6e94 <js::gc::TenuredCell::arena() const+52>: je 0x4d6eb8 <js::gc::TenuredCell::arena() const+88>

This is a trivial null-crash. I've got a patch but it's not critical to get this into 62.

Comment on attachment 9005244 [details] [diff] [review] Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call) Review of attachment 9005244 [details] [diff] [review]: ----------------------------------------------------------------- I don't know why the javascript engine should have an opinion about what sort of radixes I put in my salad. These are my culture's traditions!

Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a5b2607fc188 Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call). r=jimb

Backed out for failing linux sm build bustages Push that started the failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=a5b2607fc1885b4f86cc7421fda89a19737788e4 Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=198143992&repo=mozilla-inbound&lineNumber=50131 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/b04a830d12cdaa298b97a8135c10b64255d88ffe

And also jit failures at tests/jit-test/jit-test/tests/debug/bug1434391.js Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=198148434&repo=mozilla-inbound&lineNumber=4633 [task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - TEST-PASS | tests/jit-test/jit-test/tests/debug/bug1432764.js | Success (code 3, args "--no-baseline --no-ion") [0.1 s] [task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "--no-baseline --no-ion", "pid": 4993, "source": "jittests", "test": "debug/bug1432764.js", "thread": "main", "time": 1536358017.962396} [task 2018-09-07T22:06:58.033Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "--no-baseline --no-ion", "pid": 4993}, "jitflags": "--no-baseline --no-ion", "message": "Success", "pid": 4993, "source": "jittests", "status": "PASS", "test": "debug/bug1432764.js", "thread": "main", "time": 1536358018.031581} [task 2018-09-07T22:06:58.057Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined [task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - Stack: [task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 [task 2018-09-07T22:06:58.058Z] 22:06:58 INFO - Exit code: 3 [task 2018-09-07T22:06:58.059Z] 22:06:58 INFO - FAIL - debug/bug1434391.js [task 2018-09-07T22:06:58.060Z] 22:06:58 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/debug/bug1434391.js | /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined (code 3, args "") [0.1 s] [task 2018-09-07T22:06:58.062Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "", "pid": 4997, "source": "jittests", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358017.992245} [task 2018-09-07T22:06:58.063Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "", "pid": 4997}, "jitflags": "", "message": "/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined", "pid": 4997, "source": "jittests", "status": "FAIL", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.055976} [task 2018-09-07T22:06:58.064Z] 22:06:58 INFO - INFO exit-status : 3 [task 2018-09-07T22:06:58.065Z] 22:06:58 INFO - INFO timed-out : False [task 2018-09-07T22:06:58.065Z] 22:06:58 INFO - INFO stderr 2> /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined [task 2018-09-07T22:06:58.066Z] 22:06:58 INFO - INFO stderr 2> Stack: [task 2018-09-07T22:06:58.067Z] 22:06:58 INFO - INFO stderr 2> @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 [task 2018-09-07T22:06:58.108Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined [task 2018-09-07T22:06:58.109Z] 22:06:58 INFO - Stack: [task 2018-09-07T22:06:58.110Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 [task 2018-09-07T22:06:58.112Z] 22:06:58 INFO - Exit code: 3 [task 2018-09-07T22:06:58.113Z] 22:06:58 INFO - FAIL - debug/bug1434391.js [task 2018-09-07T22:06:58.113Z] 22:06:58 WARNING - TEST-UNEXPECTED-FAIL | tests/jit-test/jit-test/tests/debug/bug1434391.js | /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined (code 3, args "--ion-eager --ion-offthread-compile=off") [0.1 s] [task 2018-09-07T22:06:58.115Z] 22:06:58 INFO - {"action": "test_start", "jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 5001, "source": "jittests", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.035578} [task 2018-09-07T22:06:58.116Z] 22:06:58 INFO - {"action": "test_end", "extra": {"jitflags": "--ion-eager --ion-offthread-compile=off", "pid": 5001}, "jitflags": "--ion-eager --ion-offthread-compile=off", "message": "/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined", "pid": 5001, "source": "jittests", "status": "FAIL", "test": "debug/bug1434391.js", "thread": "main", "time": 1536358018.108395} [task 2018-09-07T22:06:58.117Z] 22:06:58 INFO - INFO exit-status : 3 [task 2018-09-07T22:06:58.118Z] 22:06:58 INFO - INFO timed-out : False [task 2018-09-07T22:06:58.119Z] 22:06:58 INFO - INFO stderr 2> /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined [task 2018-09-07T22:06:58.120Z] 22:06:58 INFO - INFO stderr 2> Stack: [task 2018-09-07T22:06:58.121Z] 22:06:58 INFO - INFO stderr 2> @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 [task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - /builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 ReferenceError: oomTest is not defined [task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - Stack: [task 2018-09-07T22:06:58.154Z] 22:06:58 INFO - @/builds/worker/workspace/build/tests/jit-test/jit-test/tests/debug/bug1434391.js:4:1 [task 2018-09-07T22:06:58.155Z] 22:06:58 INFO - Exit code: 3 [task 2018-09-07T22:06:58.156Z] 22:06:58 INFO - FAIL - debug/bug1434391.js

Comment on attachment 9007669 [details] [diff] [review] Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call) Trivial fix to previous version of patch.

Pushed by dvarga@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f33e65ea17cf Fix OOM handling bug in Debugger (and eliminate an unnecessary wrap() call). r=jimb r=jorendorff