Closed
Bug 1406776
Opened 7 years ago
Closed 7 years ago
Assertion failure: code_ == activation_->compartment()->wasm.lookupCode(returnAddress), at js/src/wasm/WasmFrameIter.cpp:130
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1406041
Tracking | Status | |
---|---|---|
firefox57 | --- | unaffected |
firefox58 | --- | fixed |
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: assertion, regression, regressionwindow-wanted)
Attachments
(1 file)
126.83 KB,
text/plain
|
Details |
1. http://diep.io/
2. Assertion failure: code_ == activation_->compartment()->wasm.lookupCode(returnAddress), at z:/build/build/src/js/src/wasm/WasmFrameIter.cpp:130
Windows 32 bit Nightly/58 only
Operating system: Windows NT
6.1.7601 Service Pack 1
CPU: x86
GenuineIntel family 6 model 45 stepping 2
2 CPUs
GPU: UNKNOWN
Crash reason: EXCEPTION_BREAKPOINT
Crash address: 0x60311c91
Assertion: Unknown assertion type 0x00000000
Process uptime: 13 seconds
Thread 0 (crashed)
0 xul.dll!js::wasm::WasmFrameIter::popFrame() [WasmFrameIter.cpp:2d7b8b5dd174 : 130 + 0x17]
eip = 0x60311c91 esp = 0x0025c708 ebp = 0x0025c720 ebx = 0x0af37e70
esi = 0x0025c770 edi = 0x26bdc177 eax = 0x00000000 ecx = 0x6de106ef
edx = 0x00000060 efl = 0x00000212
Found by: given as instruction pointer in context
1 xul.dll!js::wasm::WasmFrameIter::WasmFrameIter(js::jit::JitActivation *,js::wasm::Frame *) [WasmFrameIter.cpp:2d7b8b5dd174 : 51 + 0x7]
eip = 0x602df6bc esp = 0x0025c718 ebp = 0x0025c720
Found by: call frame info
2 xul.dll!mozilla::MaybeOneOf<js::jit::JSJitFrameIter,js::wasm::WasmFrameIter>::construct<js::wasm::WasmFrameIter,js::jit::JitActivation * &>(js::jit::JitActivation * &) [MaybeOneOf.h:2d7b8b5dd174 : 109 + 0x13]
eip = 0x6002659c esp = 0x0025c728 ebp = 0x0025c730
Found by: call frame info
3 xul.dll!js::JitFrameIter::JitFrameIter(js::jit::JitActivation *) [Stack.cpp:2d7b8b5dd174 : 528 + 0xc]
eip = 0x6002b7a8 esp = 0x0025c738 ebp = 0x0025c740
Found by: call frame info
4 xul.dll!js::FrameIter::settleOnActivation() [Stack.cpp:2d7b8b5dd174 : 662 + 0x9]
eip = 0x6004561b esp = 0x0025c748 ebp = 0x0025c794
Found by: call frame info
5 xul.dll!js::FrameIter::operator++() [Stack.cpp:2d7b8b5dd174 : 848 + 0x7]
eip = 0x6002d5b7 esp = 0x0025c79c ebp = 0x0025c7a8
Found by: call frame info
Comment 1•7 years ago
|
||
Calling this s-s under the assumption that compartment asserts tend to be bad news. I haven't been able to reproduce, though :(
Group: javascript-core-security
Flags: needinfo?(luke)
Comment 2•7 years ago
|
||
Probably the same as bug 1406041.
Flags: needinfo?(luke) → needinfo?(bbouvier)
Comment 3•7 years ago
|
||
Pretty sure this is what happens here (and which is what makes it so hard to reproduce):
- wasm tiering has completed and moved to ion code (but the code segment hasn't been registered)
- an interrupt occurs and wants to get a Error().stack *after* tiering has completed.
These two events are racy, and probably in most cases the interrupt happens before tiering has completed. The assertion is just a sanity check, which doesn't work because of bug 1406041, but won't prevent the code from working correctly. To be clear, a release non-debug build should work fine. Closing as dup.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → DUPLICATE
Updated•7 years ago
|
Priority: -- → P2
Updated•7 years ago
|
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•