Closed
Bug 1330491
Opened 8 years ago
Closed 8 years ago
Assertion failure: maybeBytecode, at js/src/wasm/WasmCode.cpp:581 with Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 2963cf6be7f8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
processModule(lfModule, `
var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function () {
dbg = new Debugger(debuggeeGlobal);
} + ")();");
`);
lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module (import $imp "a" "b" (param i32) (result i32)) (func $g (result i32) (call $imp (i32.const 13))) (export "g" $g))
`));
processModule(lfModule, "gcslice(1000000);");
processModule(lfModule, "gcslice(1000000);");
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
instance = new WebAssembly.Instance(module, imports);
}
for (let descriptor of WebAssembly.Module.exports(module)) {
switch (descriptor.kind) {
case "function":
print(instance.exports[descriptor.name]())
}
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::wasm::Code::Code (this=<optimized out>, segment=..., metadata=..., maybeBytecode=<optimized out>) at js/src/wasm/WasmCode.cpp:581
#0 js::wasm::Code::Code (this=<optimized out>, segment=..., metadata=..., maybeBytecode=<optimized out>) at js/src/wasm/WasmCode.cpp:581
#1 0x0000000000ddc9b7 in js::MallocProvider<js::ExclusiveContext>::new_<js::wasm::Code, mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >, js::wasm::Metadata const&, js::wasm::ShareableBytes const*&>(mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >&&, js::wasm::Metadata const&, js::wasm::ShareableBytes const*&) (this=0x7ffff695f000) at js/src/vm/MallocProvider.h:190
#2 js::MallocProvider<js::ExclusiveContext>::make_unique<js::wasm::Code, mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >, js::wasm::Metadata const&, js::wasm::ShareableBytes const*&>(mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >&&, js::wasm::Metadata const&, js::wasm::ShareableBytes const*&) (this=0x7ffff695f000) at js/src/vm/MallocProvider.h:191
#3 js::wasm::Module::instantiate (this=this@entry=0x7ffff69b3000, cx=0x7ffff695f000, funcImports=..., funcImports@entry=..., tableImport=..., tableImport@entry=..., memoryImport=..., memoryImport@entry=..., globalImports=..., instanceProto=..., instance=...) at js/src/wasm/WasmModule.cpp:907
#4 0x0000000000d621bd in Instantiate (cx=0x7ffff695f000, module=..., importObj=..., importObj@entry=..., instanceObj=..., instanceObj@entry=...) at js/src/wasm/WasmJS.cpp:1001
#5 0x0000000000d62ad6 in js::WasmInstanceObject::construct (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1026
#6 0x000000000054c751 in js::CallJSNative (cx=0x7ffff695f000, native=native@entry=0xd628f0 <js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#7 0x000000000054dc7c in js::CallJSNativeConstructor (cx=cx@entry=0x7ffff695f000, native=0xd628f0 <js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:272
#8 0x00000000005436b3 in InternalConstruct (cx=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:548
#9 0x000000000054385d in js::ConstructFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:586
#10 0x0000000000ec8653 in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffffc758, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc6c8, res=...) at js/src/jit/BaselineIC.cpp:4375
#11 0x00007ffff7e42a2a in ?? ()
[...]
#62 0x00007fffffffcb40 in ?? ()
#63 0x0000000000e9b462 in EnterBaseline (cx=0x7fffffffc720, data=...) at js/src/jit/BaselineJIT.cpp:157
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
rax 0x2062520 33957152
rbx 0x7ffff695f000 140737330409472
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x127bd48 19381576
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffbce0 140737488338144
rsp 0x7fffffffbce0 140737488338144
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x0 0
r11 0x0 0
r12 0x7ffff69b3000 140737330753536
r13 0x1 1
r14 0x7fffffffc098 140737488339096
r15 0x7fffffffbde0 140737488338400
rip 0xcfe0e9 <js::wasm::Code::Code(mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >, js::wasm::Metadata const&, js::wasm::ShareableBytes const*)+473>
=> 0xcfe0e9 <js::wasm::Code::Code(mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >, js::wasm::Metadata const&, js::wasm::ShareableBytes const*)+473>: movl $0x0,0x0
0xcfe0f4 <js::wasm::Code::Code(mozilla::UniquePtr<js::wasm::CodeSegment, JS::DeletePolicy<js::wasm::CodeSegment> >, js::wasm::Metadata const&, js::wasm::ShareableBytes const*)+484>: ud2
|
||
Comment 1•8 years ago
|
||
Reduced test case:
(function createTempDebugger() {
var g = newGlobal();
g.debuggeeGlobal = this;
g.eval("(" + function () {
dbg = new Debugger(debuggeeGlobal);
} + ")();");
})();
let module = new WebAssembly.Module(wasmTextToBinary('(module (func))'));
new WebAssembly.Instance(module);
gcslice(1000000);
new WebAssembly.Instance(module);
| Comment hidden (mozreview-request) |
|
||
Comment 3•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8826209 [details]
Bug 1330491 - Always provide wasm bytecode for debuggable instance.
https://reviewboard.mozilla.org/r/104202/#review105072
Hah, wow. Great fuzzing!
Attachment #8826209 -
Flags: review?(luke) → review+
|
||
Updated•8 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
| Comment hidden (mozreview-request) |
|
|
||
Updated•8 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6e2a6c6c3881
Always provide wasm bytecode for debuggable instance. r=luke
Keywords: checkin-needed
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•