Closed
Bug 1330339
Opened 7 years ago
Closed 7 years ago
Assertion failure: !done() && debugEnabled(), at js/src/wasm/WasmFrameIterator.cpp:223
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: yury)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 2963cf6be7f8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
let lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
processModule(lfModule, `
let g = newGlobal();
let dbg = new Debugger(g);
function test(string, mustBeCaught) {
dbg.onExceptionUnwind = function (frame) {
frame = frame.older;
};
g.eval(string);
}
test("throw new Error();", [false]);
`);
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
instance = new WebAssembly.Instance(module, imports);
}
for (let descriptor of WebAssembly.Module.exports(module)) {
switch (descriptor.kind) {
case "function":
print(instance.exports[descriptor.name]())
}
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::wasm::FrameIterator::instance (this=this@entry=0x7fffffff9158) at js/src/wasm/WasmFrameIterator.cpp:223
#0 js::wasm::FrameIterator::instance (this=this@entry=0x7fffffff9158) at js/src/wasm/WasmFrameIterator.cpp:223
#1 0x0000000000a6895c in js::FrameIter::wasmInstance (this=0x7fffffff90c8) at js/src/vm/Stack.h:2064
#2 js::Debugger::observesFrame (this=0x7ffff693e800, iter=...) at js/src/vm/Debugger.cpp:6301
#3 0x0000000000a963eb in js::DebuggerFrame::getOlder (cx=0x7ffff695f000, frame=..., frame@entry=..., result=..., result@entry=...) at js/src/vm/Debugger.cpp:7514
#4 0x0000000000a96576 in js::DebuggerFrame::olderGetter (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8189
#5 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa964c0 <js::DebuggerFrame::olderGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#6 0x0000000000542311 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#7 0x0000000000542726 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:502
#8 0x00000000005432a7 in js::Call (rval=..., args=..., thisv=..., fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.cpp:521
#9 js::CallGetter (cx=0x7ffff695f000, thisv=thisv@entry=..., getter=getter@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:635
#10 0x0000000000b39cc4 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.cpp:1809
#11 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff695f000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1857
#12 0x0000000000b3a9ac in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2084
#13 0x0000000000b3afc0 in js::NativeGetProperty (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2118
#14 0x000000000054b2a4 in js::GetProperty (cx=0x7ffff695f000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1510
#15 0x000000000053126d in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:848
#16 js::GetProperty (cx=0x7ffff695f000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4273
#17 0x0000000000534b8f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:192
#18 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2636
#19 0x0000000000542035 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#20 0x000000000054264a in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#21 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#22 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521
#23 0x0000000000a959d2 in js::Call (rval=..., arg1=..., arg0=..., thisObj=<optimized out>, fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.h:135
#24 js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff693e800, cx=0x7ffff695f000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1780
#25 0x0000000000a96106 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff693e800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1026
#26 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff695f000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1893
#27 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff695f000, frame=...) at js/src/vm/Debugger.cpp:1027
#28 0x0000000000533e77 in js::Debugger::onExceptionUnwind (frame=..., frame@entry=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66
#29 HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1242
#30 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:4160
#31 0x0000000000542035 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#32 0x0000000000544810 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffb8e8) at js/src/vm/Interpreter.cpp:684
#33 0x000000000057ce22 in EvalKernel (cx=0x7ffff695f000, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., env=..., pc=pc@entry=0x0, vp=...) at js/src/builtin/Eval.cpp:328
#34 0x000000000057d4fa in js::IndirectEval (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:421
#35 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0x57d420 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#36 0x0000000000542311 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#37 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#38 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:521
#39 0x0000000000a21228 in js::Wrapper::call (this=this@entry=0x2059fc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165
#40 0x0000000000a0ea55 in js::CrossCompartmentWrapper::call (this=0x2059fc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:333
#41 0x0000000000a17803 in js::Proxy::call (cx=0x7ffff695f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:421
#42 0x0000000000a1b345 in js::proxy_Call (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:662
#43 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa1b2d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#44 0x0000000000542607 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:445
#45 0x00000000005344ee in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#46 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919
#47 0x0000000000542035 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#48 0x000000000054264a in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#49 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#50 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521
#51 0x0000000000d51c67 in js::wasm::Instance::callImport (this=0x7ffff03e2700, cx=cx@entry=0x7ffff695f000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc610, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:177
#52 0x0000000000d5258e in js::wasm::Instance::callImport_i32 (instance=<optimized out>, funcImportIndex=0, argc=0, argv=0x7fffffffc610) at js/src/wasm/WasmInstance.cpp:268
#53 0x00007ffff7ff421f in ?? ()
#54 0x00007fffffffc680 in ?? ()
#55 0x0000000000be9e71 in JS::Rooted<js::SavedFrame*>::rootLists (this=0x7fffffffc748, cx=0x7fffffffc700) at dist/include/js/RootingAPI.h:774
#56 JS::Rooted<js::SavedFrame*>::Rooted<JSContext*, JS::PersistentRooted<js::SavedFrame*>&> (initial=..., cx=<synthetic pointer>, this=0x7fffffffc748) at dist/include/js/RootingAPI.h:791
#57 js::Activation::Activation (this=0x7fffffffc700, cx=0x7fffffffc700, kind=(unknown: 4030605136)) at js/src/vm/Stack-inl.h:923
#58 0x0000000000d3caad in WasmCall (cx=0x7fffffffcb50, cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1060
#59 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xd3ca00 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
[...]
#72 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7947
rax 0x2062520 33957152
rbx 0x7fffffff9158 140737488327000
rcx 0x127e050 19390544
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffff9070 140737488326768
rsp 0x7fffffff9060 140737488326752
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff693e800 140737330276352
r13 0x7ffff693e800 140737330276352
r14 0x1 1
r15 0x7ffff695f000 140737330409472
rip 0xd33cff <js::wasm::FrameIterator::instance() const+111>
=> 0xd33cff <js::wasm::FrameIterator::instance() const+111>: movl $0x0,0x0
0xd33d0a <js::wasm::FrameIterator::instance() const+122>: ud2
|
||
Comment 1•7 years ago
|
||
First wasm fuzz bug calling into JS \o/ Probably a regression from the debugger landing, cc'ing yury.
Component: JavaScript Engine → JavaScript Engine: JIT
| Comment hidden (spam) |
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 4•7 years ago
|
||
Added check to make sure we can access wasm instance at wasm::FrameIterator. The wasm instance property is only available for baseline compiled code atm. In the future we are planning the move TlsData to all frame, so the property above will be always available.
Assignee: nobody → ydelendik
|
||
Comment 5•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8826189 [details] Bug 1330339 - Ensure wasm debug is enabled when observesFrame is queried. https://reviewboard.mozilla.org/r/104194/#review105078 Makes sense, thanks! ::: js/src/vm/Stack.h:1814 (Diff revision 1) > bool hasScript() const { return !isWasm(); } > > // ----------------------------------------------------------- > // The following functions can only be called when isWasm() > // ----------------------------------------------------------- > + inline bool wasmDebugEnabled() const; uber-nit: can haz \n between comment and declaration?
Attachment #8826189 -
Flags: review?(luke) → review+
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6d67b80ede88 Ensure wasm debug is enabled when observesFrame is queried. r=luke
Keywords: checkin-needed
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/6d67b80ede88
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
||
Updated•7 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
| Comment hidden (spam) |
| Comment hidden (spam) |
| Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•