Closed Bug 1350143 Opened 7 years ago Closed 7 years ago

[wasm] Crash [@ js::wasm::CodeRange::funcIndex]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- disabled
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

Detailed Crash Information
8.74 KB, text/plain
Details
aurora.patch
2.51 KB, patch
bbouvier
: review+
gchang
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 200182ef1156 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

newGlobal().Debugger().addDebuggee(this);
t = new WebAssembly.Table({
    initial: 1,
    element: "anyfunc"
});
new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
    (module
        (func $iloop loop $top br $top end)
        (import "imports" "t" (table1 anyfunc))
        (elem (i32.const0) $iloop))
    `)), {
    imports: {
        t
    }
});
outer = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
    (module
        (import "imports" "t" (table1 anyfunc))
        (type $v2v (func))
        (func (export "run")
            i32.const0
            call_indirect $v2v)
        )`)), {
    imports: {
        t
    }
});
timeout(0.01);
outer.exports.run();

Backtrace:

#0  js::wasm::CodeRange::funcIndex (this=0x0) at js/src/wasm/WasmCode.h:315
#1  js::wasm::FrameIterator::debugEnabled (this=this@entry=0x7ffc03bf0460) at js/src/wasm/WasmFrameIterator.cpp:231
#2  0x0000000000bd316f in js::FrameIter::hasUsableAbstractFramePtr (this=this@entry=0x7ffc03bf03d0) at js/src/vm/Stack.cpp:964
#3  0x0000000000b99858 in js::LiveSavedFrameCache::getFramePtr (iter=...) at js/src/vm/SavedStacks.cpp:60
#4  0x0000000000ba3985 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7fc11f3498b8, cx=cx@entry=0x7fc11f371000, iter=..., frame=..., frame@entry=..., capture=capture@entry=<unknown type in /home/gkwubu/shell-cache/js-dbg-64-dm-linux-200182ef1156/js-dbg-64-dm-linux-200182ef1156, CU 0x4ca52c7, DIE 0x4e8fda9>) at js/src/vm/SavedStacks.cpp:1358
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/766ead465209
user:        Yury Delendik
date:        Sat Jan 07 10:36:11 2017 -0600
summary:     Bug 1286948 - Extends AbstractFramePtr to reference wasm::DebugFrame. r=luke,shu

Yury/Benjamin, is bug 1286948 a likely regressor?
Flags: needinfo?(ydelendik)
Flags: needinfo?(bbouvier)
Summary: Crash [@ js::wasm::CodeRange::funcIndex] → [wasm] Crash [@ js::wasm::CodeRange::funcIndex]
Probably yes. I think there shouldn't be a DebugFrame when we're displaying the missing frames message, which is what's happening here.
Flags: needinfo?(ydelendik)
Flags: needinfo?(bbouvier)
Comment on attachment 8850913 [details]
Bug 1350143: Don't allow debug mode when there's no more frames in wasm non-profiling iteration;

https://reviewboard.mozilla.org/r/123428/#review125880

Looks good. I wonder if we shall add `MOZ_ASSERT_IF(missingFrameMessage, !codeRange);` above to be clear about invariant. Thanks.
Attachment #8850913 - Flags: review?(ydelendik) → review+
(In reply to Yury Delendik (:yury) from comment #5)
> Comment on attachment 8850913 [details]
> Bug 1350143: Don't allow debug mode when there's no more frames in wasm
> non-profiling iteration;
> 
> https://reviewboard.mozilla.org/r/123428/#review125880
> 
> Looks good. I wonder if we shall add `MOZ_ASSERT_IF(missingFrameMessage,
> !codeRange);` above to be clear about invariant. Thanks.

Sounds like a good idea to have this invariant. I think missingFrameMessage == !codeRange, even. Thanks.

(In reply to Luke Wagner [:luke] from comment #6)
> Hah, that test case looks familiar
> (https://hg.mozilla.org/mozilla-central/rev/60f7f03a4a6c#l4.3)

Yep, that's the work of randorderfuzz :) See also https://bugzilla.mozilla.org/show_bug.cgi?id=1100132#c0 .
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/05f7a8eb6f45
Don't allow debug mode when there's no more frames in wasm non-profiling iteration; r=yury
https://hg.mozilla.org/mozilla-central/rev/05f7a8eb6f45
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Please request Aurora/Beta approval on this when you get a chance.
Assignee: nobody → bbouvier
Blocks: 1286948
status-firefox52: --- → unaffected
status-firefox53: --- → affected
status-firefox54: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(bbouvier)
We disabled bug mode on ff53-aurora (see bug 1332960), I don't think crash affects Beta.
Attached patch aurora.patchSplinter Review 
Approval Request Comment
[Feature/Bug causing the regression]: wasm debugger
[User impact if declined]: crashes when debugging wasm code
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: very small risk
[Why is the change risky/not risky?]: conservative change, has a test
[String changes made/needed]: n/a

Carrying forward r+; that's the patch which landed after IRC discussions.
Attachment #8850913 - Attachment is obsolete: true
Flags: needinfo?(bbouvier)
Attachment #8851940 - Flags: review+
Attachment #8851940 - Flags: approval-mozilla-aurora?
Comment on attachment 8851940 [details] [diff] [review]
aurora.patch

Fix a crashes when debugging wasm code. Aurora54+.
Attachment #8851940 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: