Closed Bug 1331072 Opened 8 years ago Closed 8 years ago

Crash [@ js::wasm::DebugFrame::global] with wasm and Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1330489
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: decoder, Unassigned)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

The following testcase crashes on mozilla-central revision 97d6f7364394 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --disable-oom-functions --baseline-eager --ion-extra-checks): var lfModule = new WebAssembly.Module(wasmTextToBinary(` (module (func (export "func_0") (result i32) call 0 ;; calls the import, which is func #0 ) ) `)); g = newGlobal(); g.parent = this; g.eval("(" + function() { Debugger(parent).onExceptionUnwind = function(frame) frame.eval("") } + ")()"); var lfModule = new WebAssembly.Module(wasmTextToBinary(` (module (import $imp "a" "b" (result i32)) (memory 1 1) (table 2 2 anyfunc) (elem (i32.const 0) $imp $def) (func $def (result i32) (i32.load (i32.const 0))) (type $v2i (func (result i32))) (func $call (param i32) (result i32) (call_indirect $v2i (get_local 0))) (export "call" $call) ) `)); processCode("jsTestDriverEnd();"); function processCode(lfVarx) { processModule(lfModule, lfVarx); } function processModule(module, jscode) { imports = {} for (let descriptor of WebAssembly.Module.imports(module)) { imports[descriptor.module] = {} switch(descriptor.kind) { case "function": imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode); } instance = new WebAssembly.Instance(module, imports); } for (let descriptor of WebAssembly.Module.exports(module)) { switch(descriptor.kind) { case "function": print(instance.exports[descriptor.name]()) } } } Backtrace: received signal SIGSEGV, Segmentation fault. js::wasm::DebugFrame::global (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:38 #0 js::wasm::DebugFrame::global (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:38 #1 js::wasm::DebugFrame::environmentChain (this=0x7fffffffab50) at js/src/wasm/WasmDebugFrame.cpp:44 #2 0x0000000000a9839e in js::AbstractFramePtr::environmentChain (this=this@entry=0x7fffffff75c0) at js/src/vm/Stack-inl.h:458 #3 0x0000000000a6b998 in js::DebugEnvironments::updateLiveEnvironments (cx=0x7ffff695f000) at js/src/vm/EnvironmentObject.cpp:2773 #4 0x0000000000a75125 in js::GetDebugEnvironmentForFrame (cx=0x7ffff695f000, frame=..., pc=pc@entry=0x7ffff33146b8 "\232") at js/src/vm/EnvironmentObject.cpp:3033 #5 0x0000000000a87ab7 in DebuggerGenericEval (cx=cx@entry=0x7ffff695f000, bindings=bindings@entry=..., options=..., status=@0x7fffffff8554: 32767, value=..., dbg=0x7ffff693e000, envArg=..., iter=0x7fffffff8058, chars=...) at js/src/vm/Debugger.cpp:7760 #6 0x0000000000a88ef5 in js::DebuggerFrame::eval (cx=0x7ffff695f000, frame=..., frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffff8554: 32767, value=value@entry=...) at js/src/vm/Debugger.cpp:7826 #7 0x0000000000a89181 in js::DebuggerFrame::evalMethod (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8473 #8 0x000000000054c6a1 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa88f40 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #9 0x0000000000542261 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457 #10 0x0000000000542676 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502 #11 0x00000000005427ba in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:508 #12 0x0000000000ec6f7c in js::jit::DoCallFallback (cx=0x7ffff695f000, frame=0x7fffffff8be8, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff8b98, res=...) at js/src/jit/BaselineIC.cpp:4396 #13 0x00007ffff7e42a2a in ?? () [...] #56 0x00007fffffff8fd0 in ?? () #57 0x0000000000e9a312 in EnterBaseline (cx=0xfffe7ffff36c2cc0, data=...) at js/src/jit/BaselineJIT.cpp:157 Backtrace stopped: previous frame inner to this frame (corrupt stack?) rax 0x547535 5535029 rbx 0x1fff63d482fe8c1 144104456163682497 rcx 0x0 0 rdx 0x4 4 rsi 0x29c 668 rdi 0x7fffffffab50 140737488333648 rbp 0x7fffffff7570 140737488319856 rsp 0x7fffffff7560 140737488319840 r8 0xb 11 r9 0x29c 668 r10 0xe 14 r11 0x7ffff6918870 140737330120816 r12 0x7fffffff75c0 140737488319936 r13 0x7fffffff7620 140737488320032 r14 0x7fffffff75e0 140737488319968 r15 0x7fffffff7600 140737488320000 rip 0xd2f891 <js::wasm::DebugFrame::environmentChain() const+17> => 0xd2f891 <js::wasm::DebugFrame::environmentChain() const+17>: mov 0x8(%rbx),%rdi 0xd2f895 <js::wasm::DebugFrame::environmentChain() const+21>: test %rdi,%rdi This might be a duplicate to one of the previous bugs I filed, but both :yury and me don't know for sure, so filing for now.
Fixed by bug 1330489 -- marking as a dup.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.