Closed
Bug 1331592
Opened 4 years ago
Closed 4 years ago
Assertion failure: data_.state_ == INTERP, at js/src/vm/Stack.cpp:495 with Debugger and wasm
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: yury)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision 8eaf154b385b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2):
var lfLogBuffer = `
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
var frame = dbg.getNewestFrame().older;
frame = frame.older;
var completion = frame.eval(code);
};
})(this);
evalInFrame(8>>2, "x")
`;
var lfCodeBuffer = lfLogBuffer;
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
processModule(lfModule, lfCodeBuffer);
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
try {
instance = new WebAssembly.Instance(module, imports);
} catch(exc) {
}
}
for (let descriptor of WebAssembly.Module.exports(module)) {
switch(descriptor.kind) {
case "function":
print(instance.exports[descriptor.name]())
}
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::FrameIter::popInterpreterFrame (this=<optimized out>) at js/src/vm/Stack.cpp:495
#0 js::FrameIter::popInterpreterFrame (this=<optimized out>) at js/src/vm/Stack.cpp:495
#1 0x0000000000bce05e in js::FrameIter::operator++ (this=0x7fffffff9a10) at js/src/vm/Stack.cpp:706
#2 0x0000000000bce195 in js::FrameIter::operator++ (this=this@entry=0x7fffffff9a10) at js/src/vm/Stack.cpp:698
#3 0x0000000000ba06e8 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff692c0c0, cx=cx@entry=0x7ffff695f000, iter=..., frame=..., frame@entry=..., capture=capture@entry=<unknown type>) at js/src/vm/SavedStacks.cpp:1350
#4 0x0000000000ba0fe0 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff692c0c0, cx=cx@entry=0x7ffff695f000, frame=frame@entry=..., capture=capture@entry=<unknown type>) at js/src/vm/SavedStacks.cpp:1152
#5 0x000000000089e118 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0x7ffff695f000, stackp=..., capture=capture@entry=<unknown type>) at js/src/jsapi.cpp:6815
#6 0x000000000090ab3b in CaptureStack (cx=<optimized out>, stack=..., stack@entry=...) at js/src/jsexn.cpp:305
#7 0x0000000000918fb5 in js::ErrorToException (cx=0x7ffff695f000, reportp=0x7fffffffa0e0, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:618
#8 0x000000000091b51c in js::ReportErrorNumberVA (cx=cx@entry=0x7ffff695f000, flags=flags@entry=0, callback=callback@entry=0x90a720 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1, argumentsType=argumentsType@entry=js::ArgumentsAreLatin1, ap=0x7fffffffa1c0) at js/src/jscntxt.cpp:700
#9 0x000000000089966b in JS_ReportErrorNumberLatin1VA (cx=0x7ffff695f000, errorCallback=0x90a720 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=1, ap=ap@entry=0x7fffffffa1c0) at js/src/jsapi.cpp:5683
#10 0x0000000000899718 in JS_ReportErrorNumberLatin1 (cx=cx@entry=0x7ffff695f000, errorCallback=errorCallback@entry=0x90a720 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1) at js/src/jsapi.cpp:5672
#11 0x0000000000910235 in js::ReportIsNotDefined (cx=cx@entry=0x7ffff695f000, id=id@entry=...) at js/src/jscntxt.cpp:761
#12 0x0000000000915ad5 in js::ReportIsNotDefined (cx=0x7ffff695f000, name=..., name@entry=...) at js/src/jscntxt.cpp:770
#13 0x000000000054d1e8 in js::FetchName<false> (cx=0x7ffff695f000, obj=..., obj2=..., name=..., shape=..., vp=...) at js/src/vm/Interpreter-inl.h:185
#14 0x0000000000535675 in GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=0x7ffff695f000) at js/src/vm/Interpreter.cpp:233
#15 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:3094
#16 0x0000000000542285 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#17 0x0000000000544a90 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=result@entry=0x7fffffffaca0) at js/src/vm/Interpreter.cpp:684
#18 0x0000000000a88f11 in EvaluateInEnv (rval=..., lineno=<optimized out>, filename=0x1199f98 "debugger eval code", pc=<optimized out>, frame=..., env=..., cx=0x7ffff695f000, chars=...) at js/src/vm/Debugger.cpp:7720
#19 DebuggerGenericEval (cx=cx@entry=0x7ffff695f000, bindings=..., bindings@entry=..., options=..., status=@0x7fffffffb534: 32767, value=..., dbg=0x7ffff693e800, envArg=..., iter=0x7fffffffb038, chars=...) at js/src/vm/Debugger.cpp:7806
#20 0x0000000000a89b85 in js::DebuggerFrame::eval (cx=0x7ffff695f000, frame=..., frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., status=@0x7fffffffb534: 32767, value=value@entry=...) at js/src/vm/Debugger.cpp:7830
#21 0x0000000000a89e11 in js::DebuggerFrame::evalMethod (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8477
#22 0x000000000054c641 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa89bd0 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#23 0x0000000000542561 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#24 0x0000000000542976 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#25 0x0000000000542aee in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:521
#26 0x0000000000a21198 in js::Wrapper::call (this=this@entry=0x205bfc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165
#27 0x0000000000a0e9c5 in js::CrossCompartmentWrapper::call (this=0x205bfc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:333
#28 0x0000000000a17773 in js::Proxy::call (cx=0x7ffff695f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:421
#29 0x0000000000a1b2b5 in js::proxy_Call (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:662
#30 0x000000000054c641 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa1b240 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#31 0x0000000000542857 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:445
#32 0x00000000005344fe in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#33 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2952
#34 0x0000000000542285 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#35 0x000000000054289a in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475
#36 0x0000000000542976 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502
#37 0x0000000000542aee in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521
#38 0x0000000000d52a77 in js::wasm::Instance::callImport (this=0x7ffff33da700, cx=cx@entry=0x7ffff695f000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc5e0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:177
#39 0x0000000000d5339e in js::wasm::Instance::callImport_i32 (instance=<optimized out>, funcImportIndex=0, argc=0, argv=0x7fffffffc5e0) at js/src/wasm/WasmInstance.cpp:268
#40 0x00007ffff7ff421f in ?? ()
#41 0x00007fffffffc650 in ?? ()
#42 0x0000000000beada1 in JS::Rooted<js::SavedFrame*>::rootLists (this=0x7fffffffc718, cx=0x7fffffffc6d0) at dist/include/js/RootingAPI.h:774
#43 JS::Rooted<js::SavedFrame*>::Rooted<JSContext*, JS::PersistentRooted<js::SavedFrame*>&> (initial=..., cx=<synthetic pointer>, this=0x7fffffffc718) at dist/include/js/RootingAPI.h:791
#44 js::Activation::Activation (this=0x7fffffffc6d0, cx=0x7fffffffc6d0, kind=(unknown: 4080904016)) at js/src/vm/Stack-inl.h:923
#45 0x0000000000d3d8bd in WasmCall (cx=0x7fffffffcb20, cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1060
#46 0x000000000054c641 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xd3d810 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
[...]
#59 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7963
rax 0x2064520 33965344
rbx 0x7fffffff9a10 140737488329232
rcx 0x123d690 19125904
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffff93a0 140737488327584
rsp 0x7fffffff9390 140737488327568
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4740 140737354024768
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff322b0c1 140737272524993
r13 0x0 0
r14 0x7fffffff9a10 140737488329232
r15 0x7ffff695f000 140737330409472
rip 0xbc5481 <js::FrameIter::popInterpreterFrame()+97>
=> 0xbc5481 <js::FrameIter::popInterpreterFrame()+97>: movl $0x0,0x0
0xbc548c <js::FrameIter::popInterpreterFrame()+108>: ud2
|
Assignee | |
Comment 1•4 years ago
|
||
Smaller test case:
var module = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
var dbg;
(function (global) {
var dbgGlobal = newGlobal();
dbg = new dbgGlobal.Debugger();
dbg.addDebuggee(global);
})(this);
var instance = new WebAssembly.Instance(module, { global: { func: () => {
var frame = dbg.getNewestFrame().older;
frame.eval("some_error");
}}});
instance.exports.func_0();
|
||
Updated•4 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
| Comment hidden (mozreview-request) |
|
||
Comment 3•4 years ago
|
||
| mozreview-review | ||
Comment on attachment 8828058 [details] Bug 1331592 - Skipping wasm frames during debugger eval. https://reviewboard.mozilla.org/r/105570/#review106388 Oops, nice job adding a test.
Attachment #8828058 -
Flags: review?(luke) → review+
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → ydelendik
|
|
Assignee | |
Updated•4 years ago
|
Status: NEW → ASSIGNED
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/29e806c862fa Skipping wasm frames during debugger eval. r=luke
Keywords: checkin-needed
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/29e806c862fa
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•