1332303 - Crash [@ js::DebuggerFrame::setOnStepHandler] with wasm and Debugger

Status: RESOLVED DUPLICATE of bug 1330370

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 96cb95af5304 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var g = newGlobal(null);
g.parent = this;
g.eval("(" + function() {
    var dbg = new Debugger(parent);
    dbg.onExceptionUnwind = function(frame) {
        frame.older.onStep = function() {}
    };
} + ")()");
lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module 
  (import $imp "a" "b" (param i32) (result i32))
  (func $g (result i32) (call $imp (i32.const 13)))
  (export "g" $g))
`));
processModule(lfModule, "jsTestDriverEnd()");
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
        instance = new WebAssembly.Instance(module, imports);
    }
    for (let descriptor of WebAssembly.Module.exports(module))
        print(instance.exports[descriptor.name]())
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a03635 in js::DebuggerFrame::setOnStepHandler (cx=cx@entry=0x7ffff695f000, frame=frame@entry=..., handler=handler@entry=0x7ffff6920260) at js/src/vm/Debugger.cpp:7604
#0  0x0000000000a03635 in js::DebuggerFrame::setOnStepHandler (cx=cx@entry=0x7ffff695f000, frame=frame@entry=..., handler=handler@entry=0x7ffff6920260) at js/src/vm/Debugger.cpp:7604
#1  0x0000000000a03780 in js::DebuggerFrame::onStepSetter (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8414
#2  0x0000000000534abd in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa03650 <js::DebuggerFrame::onStepSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#3  0x000000000052fbb5 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:460
#4  0x000000000052ffa6 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#5  0x0000000000530958 in js::Call (rval=..., args=..., thisv=..., fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.cpp:524
#6  js::CallSetter (cx=cx@entry=0x7ffff695f000, thisv=..., thisv@entry=..., setter=setter@entry=..., v=v@entry=...) at js/src/vm/Interpreter.cpp:651
#7  0x0000000000ac6e85 in SetExistingProperty (result=..., shape=..., pobj=..., receiver=..., v=..., id=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.cpp:2437
#8  js::NativeSetProperty (cx=0x7ffff695f000, obj=..., id=..., value=..., receiver=..., qualified=qualified@entry=js::Qualified, result=...) at js/src/vm/NativeObject.cpp:2472
#9  0x00000000005334f0 in js::SetProperty (cx=<optimized out>, obj=..., id=..., v=..., receiver=..., result=...) at js/src/vm/NativeObject.h:1527
#10 0x000000000052322d in SetPropertyOperation (rval=..., id=..., lval=..., op=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:259
#11 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2748
#12 0x000000000052f8d5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:406
#13 0x000000000052fcd9 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#14 0x000000000052ffa6 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#15 0x00000000005300fe in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:524
#16 0x0000000000a29687 in js::Call (rval=..., arg1=..., arg0=..., thisObj=<optimized out>, fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.h:135
#17 js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff693c800, cx=cx@entry=0x7ffff695f000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1780
#18 0x0000000000a29c33 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff693c800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1026
#19 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff695f000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1893
#20 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff695f000, frame=...) at js/src/vm/Debugger.cpp:1027
#21 0x0000000000529bb8 in js::Debugger::onExceptionUnwind (frame=..., frame@entry=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66
#22 HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1272
#23 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:4196
#24 0x000000000052f8d5 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:406
#25 0x000000000052fcd9 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478
#26 0x000000000052ffa6 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:505
#27 0x00000000005300fe in js::Call (cx=cx@entry=0x7ffff695f000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:524
#28 0x0000000000caaf8f in js::wasm::Instance::callImport (this=0x7ffff03dcb80, cx=cx@entry=0x7ffff695f000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=1, argv=argv@entry=0x7fffffffc650, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:177
#29 0x0000000000cab7a0 in js::wasm::Instance::callImport_i32 (instance=<optimized out>, funcImportIndex=0, argc=1, argv=0x7fffffffc650) at js/src/wasm/WasmInstance.cpp:268
[...]
#33 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff6920260	140737330152032
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa9d0	140737488333264
rsp	0x7fffffffa970	140737488333168
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7fffffffaa10	140737488333328
r13	0x7ffff695f000	140737330409472
r14	0x7ffff6920260	140737330152032
r15	0x0	0
rip	0xa03635 <js::DebuggerFrame::setOnStepHandler(JSContext*, JS::Handle<js::DebuggerFrame*>, js::OnStepHandler*)+693>
=> 0xa03635 <js::DebuggerFrame::setOnStepHandler(JSContext*, JS::Handle<js::DebuggerFrame*>, js::OnStepHandler*)+693>:	movl   $0x0,0x0
   0xa03640 <js::DebuggerFrame::setOnStepHandler(JSContext*, JS::Handle<js::DebuggerFrame*>, js::OnStepHandler*)+704>:	ud2

Comment 1

[Yury Delendik (:yury)]

This crash is intentional (not implemented onStep handler set for wasm frame). The bug 1330370 will implement this part.

Comment 2

[Yury Delendik (:yury)]

After bug 1330370 fix, the test case asserts/crashes from the ExecutionObservableScript::shouldMarkAsDebuggee -- iter needs isWasm() check before accessing abstractFramePtr().script().

Comment 3

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0e0b0668aa16
user:        Yury Delendik
date:        Sat Jan 07 10:40:38 2017 -0600
summary:     Bug 1286948 - onEnterFrame/onLeaveFrame wasm events and callstack. r=shu

This iteration took 0.628 seconds to run.

Comment 4

[Randell Jesup [:jesup] (needinfo me)]

yury - can you handle this bug as part of landing bug 1330370?

Comment 5

[Yury Delendik (:yury)]

correct, it's addressed by bug 1330370.