Closed Bug 1331072 Opened 7 years ago Closed 7 years ago

Crash [@ js::wasm::DebugFrame::global] with wasm and Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1330489
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision 97d6f7364394 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --disable-oom-functions --baseline-eager --ion-extra-checks):

var lfModule = new WebAssembly.Module(wasmTextToBinary(`
    (module
        (func (export "func_0") (result i32)
         call 0 ;; calls the import, which is func #0
        )
    )
`));
g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function(frame)
    frame.eval("")
} + ")()");
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
    (import $imp "a" "b" (result i32))
    (memory 1 1)
    (table 2 2 anyfunc)
    (elem (i32.const 0) $imp $def)
    (func $def (result i32) (i32.load (i32.const 0)))
    (type $v2i (func (result i32)))
    (func $call (param i32) (result i32) (call_indirect $v2i (get_local 0)))
    (export "call" $call)
)
`));
processCode("jsTestDriverEnd();");
function processCode(lfVarx) {
        processModule(lfModule, lfVarx);
}
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        switch(descriptor.kind) {
            case "function":
                imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
        }
        instance = new WebAssembly.Instance(module, imports);
    }
    for (let descriptor of WebAssembly.Module.exports(module)) {
        switch(descriptor.kind) {
            case "function":
                print(instance.exports[descriptor.name]())
        }
    }
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::wasm::DebugFrame::global (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:38
#0  js::wasm::DebugFrame::global (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:38
#1  js::wasm::DebugFrame::environmentChain (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:44
#2  0x0000000000a9839e in js::AbstractFramePtr::environmentChain (this=this@entry=0x7fffffff75c0) at js/src/vm/Stack-inl.h:458
#3  0x0000000000a6b998 in js::DebugEnvironments::updateLiveEnvironments (cx=0x7ffff695f000) at js/src/vm/EnvironmentObject.cpp:2773
#4  0x0000000000a75125 in js::GetDebugEnvironmentForFrame (cx=0x7ffff695f000, frame=..., pc=pc@entry=0x7ffff33146b8 "\232") at js/src/vm/EnvironmentObject.cpp:3033
#5  0x0000000000a87ab7 in DebuggerGenericEval (cx=cx@entry=0x7ffff695f000, bindings=bindings@entry=..., options=..., status=@0x7fffffff8554: 32767, value=..., dbg=0x7ffff693e000, envArg=..., iter=0x7fffffff8058, chars=...) at js/src/vm/Debugger.cpp:7760
#6  0x0000000000a88ef5 in js::DebuggerFrame::eval (cx=0x7ffff695f000, frame=..., frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffff8554: 32767, value=value@entry=...) at js/src/vm/Debugger.cpp:7826
#7  0x0000000000a89181 in js::DebuggerFrame::evalMethod (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8473
#8  0x000000000054c6a1 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa88f40 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#9  0x0000000000542261 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#10 0x0000000000542676 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#11 0x00000000005427ba in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:508
#12 0x0000000000ec6f7c in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffff8be8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff8b98, res=...) at js/src/jit/BaselineIC.cpp:4396
#13 0x00007ffff7e42a2a in ?? ()
[...]
#56 0x00007fffffff8fd0 in ?? ()
#57 0x0000000000e9a312 in EnterBaseline (cx=0xfffe7ffff36c2cc0, data=...) at js/src/jit/BaselineJIT.cpp:157
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax	0x547535	5535029
rbx	0x1fff63d482fe8c1	144104456163682497
rcx	0x0	0
rdx	0x4	4
rsi	0x29c	668
rdi	0x7fffffffab50	140737488333648
rbp	0x7fffffff7570	140737488319856
rsp	0x7fffffff7560	140737488319840
r8	0xb	11
r9	0x29c	668
r10	0xe	14
r11	0x7ffff6918870	140737330120816
r12	0x7fffffff75c0	140737488319936
r13	0x7fffffff7620	140737488320032
r14	0x7fffffff75e0	140737488319968
r15	0x7fffffff7600	140737488320000
rip	0xd2f891 <js::wasm::DebugFrame::environmentChain() const+17>
=> 0xd2f891 <js::wasm::DebugFrame::environmentChain() const+17>:	mov    0x8(%rbx),%rdi
   0xd2f895 <js::wasm::DebugFrame::environmentChain() const+21>:	test   %rdi,%rdi


This might be a duplicate to one of the previous bugs I filed, but both :yury and me don't know for sure, so filing for now.
Fixed by bug 1330489 -- marking as a dup.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.