Closed
Bug 1350143
Opened 7 years ago
Closed 7 years ago
[wasm] Crash [@ js::wasm::CodeRange::funcIndex]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | disabled |
firefox54 | --- | fixed |
firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: bbouvier)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 1 obsolete file)
8.74 KB,
text/plain
|
Details | |
2.51 KB,
patch
|
bbouvier
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 200182ef1156 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): newGlobal().Debugger().addDebuggee(this); t = new WebAssembly.Table({ initial: 1, element: "anyfunc" }); new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (func $iloop loop $top br $top end) (import "imports" "t" (table1 anyfunc)) (elem (i32.const0) $iloop)) `)), { imports: { t } }); outer = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (import "imports" "t" (table1 anyfunc)) (type $v2v (func)) (func (export "run") i32.const0 call_indirect $v2v) )`)), { imports: { t } }); timeout(0.01); outer.exports.run(); Backtrace: #0 js::wasm::CodeRange::funcIndex (this=0x0) at js/src/wasm/WasmCode.h:315 #1 js::wasm::FrameIterator::debugEnabled (this=this@entry=0x7ffc03bf0460) at js/src/wasm/WasmFrameIterator.cpp:231 #2 0x0000000000bd316f in js::FrameIter::hasUsableAbstractFramePtr (this=this@entry=0x7ffc03bf03d0) at js/src/vm/Stack.cpp:964 #3 0x0000000000b99858 in js::LiveSavedFrameCache::getFramePtr (iter=...) at js/src/vm/SavedStacks.cpp:60 #4 0x0000000000ba3985 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7fc11f3498b8, cx=cx@entry=0x7fc11f371000, iter=..., frame=..., frame@entry=..., capture=capture@entry=<unknown type in /home/gkwubu/shell-cache/js-dbg-64-dm-linux-200182ef1156/js-dbg-64-dm-linux-200182ef1156, CU 0x4ca52c7, DIE 0x4e8fda9>) at js/src/vm/SavedStacks.cpp:1358 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/766ead465209 user: Yury Delendik date: Sat Jan 07 10:36:11 2017 -0600 summary: Bug 1286948 - Extends AbstractFramePtr to reference wasm::DebugFrame. r=luke,shu Yury/Benjamin, is bug 1286948 a likely regressor?
Flags: needinfo?(ydelendik)
Flags: needinfo?(bbouvier)
Summary: Crash [@ js::wasm::CodeRange::funcIndex] → [wasm] Crash [@ js::wasm::CodeRange::funcIndex]
Assignee | ||
Comment 3•7 years ago
|
||
Probably yes. I think there shouldn't be a DebugFrame when we're displaying the missing frames message, which is what's happening here.
Flags: needinfo?(ydelendik)
Flags: needinfo?(bbouvier)
Comment hidden (mozreview-request) |
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8850913 [details] Bug 1350143: Don't allow debug mode when there's no more frames in wasm non-profiling iteration; https://reviewboard.mozilla.org/r/123428/#review125880 Looks good. I wonder if we shall add `MOZ_ASSERT_IF(missingFrameMessage, !codeRange);` above to be clear about invariant. Thanks.
Attachment #8850913 -
Flags: review?(ydelendik) → review+
Comment 6•7 years ago
|
||
Hah, that test case looks familiar (https://hg.mozilla.org/mozilla-central/rev/60f7f03a4a6c#l4.3)
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Yury Delendik (:yury) from comment #5) > Comment on attachment 8850913 [details] > Bug 1350143: Don't allow debug mode when there's no more frames in wasm > non-profiling iteration; > > https://reviewboard.mozilla.org/r/123428/#review125880 > > Looks good. I wonder if we shall add `MOZ_ASSERT_IF(missingFrameMessage, > !codeRange);` above to be clear about invariant. Thanks. Sounds like a good idea to have this invariant. I think missingFrameMessage == !codeRange, even. Thanks. (In reply to Luke Wagner [:luke] from comment #6) > Hah, that test case looks familiar > (https://hg.mozilla.org/mozilla-central/rev/60f7f03a4a6c#l4.3) Yep, that's the work of randorderfuzz :) See also https://bugzilla.mozilla.org/show_bug.cgi?id=1100132#c0 .
Comment hidden (mozreview-request) |
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/05f7a8eb6f45 Don't allow debug mode when there's no more frames in wasm non-profiling iteration; r=yury
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/05f7a8eb6f45
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Comment 11•7 years ago
|
||
Please request Aurora/Beta approval on this when you get a chance.
Assignee: nobody → bbouvier
Blocks: 1286948
status-firefox52:
--- → unaffected
status-firefox53:
--- → affected
status-firefox54:
--- → affected
status-firefox-esr52:
--- → unaffected
Flags: needinfo?(bbouvier)
Comment 12•7 years ago
|
||
We disabled bug mode on ff53-aurora (see bug 1332960), I don't think crash affects Beta.
Updated•7 years ago
|
Assignee | ||
Comment 13•7 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: wasm debugger [User impact if declined]: crashes when debugging wasm code [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: very small risk [Why is the change risky/not risky?]: conservative change, has a test [String changes made/needed]: n/a Carrying forward r+; that's the patch which landed after IRC discussions.
Attachment #8850913 -
Attachment is obsolete: true
Flags: needinfo?(bbouvier)
Attachment #8851940 -
Flags: review+
Attachment #8851940 -
Flags: approval-mozilla-aurora?
Comment 14•7 years ago
|
||
Comment on attachment 8851940 [details] [diff] [review] aurora.patch Fix a crashes when debugging wasm code. Aurora54+.
Attachment #8851940 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 15•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/832e77512126
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•