Closed Bug 1330493 Opened 3 years ago Closed 3 years ago

Crash [@ js::wasm::Instance::object] with Debugger

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1330489
Tracking Status
firefox53 --- fixed

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision 2963cf6be7f8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
var g = newGlobal();
var dbg = new g.Debugger(this);
test();
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
    (module
        (func (export "func_0") (result i32)
         call 0
        )
    )
`));
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        processCode(lfCodeBuffer);
        lfModule = new WebAssembly.Module(wasmTextToBinary(`
	  (module
	    (import $imp "a" "b" (result i32))
	    (memory 1 1)
	    (table 2 2 anyfunc)
	    (elem (i32.const 0) $imp $def)
	    (func $def (result i32) (i32.load (i32.const 0)))
	    (type $v2i (func (result i32)))
	    (func $call (param i32) (result i32) (call_indirect $v2i (get_local 0)))
	    (export "call" $call)
	  )
	`));
    } else {
        lfCodeBuffer += line + "\n";
    }
}
function processCode(lfVarx) {
    try {
        processModule(lfModule, lfVarx);
    } catch (lfVare) {}
}
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
            instance = new WebAssembly.Instance(module, imports);
    }
    for (let descriptor of WebAssembly.Module.exports(module)) {
        switch (descriptor.kind) {
            case "function":
                print(instance.exports[descriptor.name]())
        }
    }
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::wasm::Instance::object (this=0x1fff63d482fe8c1) at js/src/wasm/WasmInstance.cpp:530
#0  js::wasm::Instance::object (this=0x1fff63d482fe8c1) at js/src/wasm/WasmInstance.cpp:530
#1  0x0000000000a5632d in js::AbstractFramePtr::global (this=0x7fffffffc400) at js/src/vm/Stack-inl.h:731
#2  js::Debugger::forEachDebuggerFrame<js::Debugger::inFrameMaps(js::AbstractFramePtr)::<lambda(js::NativeObject*)> >(js::AbstractFramePtr, js::Debugger::<lambda(js::NativeObject*)>) (frame=..., fn=..., fn@entry=...) at js/src/vm/Debugger.cpp:2632
#3  0x0000000000a56404 in js::Debugger::inFrameMaps (frame=...) at js/src/vm/Debugger.cpp:6412
#4  0x000000000054a405 in js::Debugger::onLeaveFrame (cx=0x7ffff695f000, frame=..., pc=0x0, ok=false) at js/src/vm/Debugger-inl.h:25
#5  0x0000000000de85ff in WasmHandleDebugThrow () at js/src/wasm/WasmTypes.cpp:160
#6  0x00007ffff7ff2c30 in ?? ()
#7  0x00007fffffffc5c0 in ?? ()
#8  0xfd516687d7487100 in ?? ()
#9  0x0000000000000000 in ?? ()
rax	0x1fff63d482fe8c1	144104456163682497
rbx	0x7fffffffc490	140737488340112
rcx	0x0	0
rdx	0x4	4
rsi	0x0	0
rdi	0x1fff63d482fe8c1	144104456163682497
rbp	0x7fffffffc460	140737488340064
rsp	0x7fffffffc3e8	140737488339944
r8	0xb	11
r9	0x29c	668
r10	0xe	14
r11	0x7ffff6918be0	140737330121696
r12	0x7fffffffc400	140737488339968
r13	0x0	0
r14	0x7ffff695f000	140737330409472
r15	0x0	0
rip	0xd32310 <js::wasm::Instance::object() const>
=> 0xd32310 <js::wasm::Instance::object() const>:	mov    0x8(%rdi),%rax
   0xd32314 <js::wasm::Instance::object() const+4>:	test   %rax,%rax
Blocks: 1286948
The same problem as in bug 1330489 comment 1 . Closing as duplicate as now since crash goes away after the proposed patch.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1330489
You need to log in before you can comment on or make changes to this bug.