Closed
Bug 1350744
Opened 8 years ago
Closed 8 years ago
[wasm] Crash [@ ??] involving Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
|
1.81 KB,
text/plain
|
Details | |
|
3.15 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4c987b7ed54a (build with --32 --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// jsfunfuzz-generated
(function () {
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1133196.js
var g = newGlobal();
g.parent = this;
g.eval("(" + function () {
var dbg = new Debugger(parent);
dbg.onExceptionUnwind = function (frame) {
frame.older.onStep = function () {}
};
} + ")()");
// awsm-generated
try {
exports = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
(module
(func (result f64)
i64.const 0
i64.const 0
i64.const 0
drop
drop
f64.reinterpret/i64
)
(func (export "f2")
i64.const 0
i64.const 0
i64.const 0
i32.const 0
select
drop
drop
)
)
`))).exports;
exports();
} catch (e) {};
exports.f2();
})();
Backtrace:
#0 0x3e1e0634 in ?? ()
#1 0xfff00d34 in ?? ()
/snip
For detailed crash information, see attachment.
Setting s-s as a start, there are weird memory addresses on the stack, but also looks like a null-deref.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/36a11b6821fa
user: Luke Wagner
date: Wed Mar 22 17:13:02 2017 -0500
summary: Bug 1334504 - Baldr: save TLS reg in Frame (r=bbouvier)
Luke/Benjamin, is bug 1334504 a likely regressor?
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
|
|
Reporter | |
Updated•8 years ago
|
Summary: Crash [@ ??] → [wasm] Crash [@ ??] involving Debugger
|
|
Assignee | |
Comment 3•8 years ago
|
||
With bug 1334504, prologues/epilogues now depend on TLS having been loaded and that was not happening on the debug-trap path. This patch should look familiar to the last one of bug 1334504 since it's doing the same logical thing.
Assignee: nobody → luke
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
Attachment #8851741 -
Flags: review?(bbouvier)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8851741 [details] [diff] [review]
fix-debug-trap
Review of attachment 8851741 [details] [diff] [review]:
-----------------------------------------------------------------
Makes sense, thanks.
Attachment #8851741 -
Flags: review?(bbouvier) → review+
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Updated•8 years ago
|
Blocks: 1334504
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite+
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•