Closed Bug 1406776 Opened 7 years ago Closed 7 years ago

Assertion failure: code_ == activation_->compartment()->wasm.lookupCode(returnAddress), at js/src/wasm/WasmFrameIter.cpp:130

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

58 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1406041
Tracking Status
firefox57 --- unaffected
firefox58 --- fixed

People

(Reporter: bc, Unassigned)

References

()

Details

(Keywords: assertion, regression, regressionwindow-wanted)

Attachments

(1 file)

Attached file Windows Debug Log
1. http://diep.io/ 2. Assertion failure: code_ == activation_->compartment()->wasm.lookupCode(returnAddress), at z:/build/build/src/js/src/wasm/WasmFrameIter.cpp:130 Windows 32 bit Nightly/58 only Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 45 stepping 2 2 CPUs GPU: UNKNOWN Crash reason: EXCEPTION_BREAKPOINT Crash address: 0x60311c91 Assertion: Unknown assertion type 0x00000000 Process uptime: 13 seconds Thread 0 (crashed) 0 xul.dll!js::wasm::WasmFrameIter::popFrame() [WasmFrameIter.cpp:2d7b8b5dd174 : 130 + 0x17] eip = 0x60311c91 esp = 0x0025c708 ebp = 0x0025c720 ebx = 0x0af37e70 esi = 0x0025c770 edi = 0x26bdc177 eax = 0x00000000 ecx = 0x6de106ef edx = 0x00000060 efl = 0x00000212 Found by: given as instruction pointer in context 1 xul.dll!js::wasm::WasmFrameIter::WasmFrameIter(js::jit::JitActivation *,js::wasm::Frame *) [WasmFrameIter.cpp:2d7b8b5dd174 : 51 + 0x7] eip = 0x602df6bc esp = 0x0025c718 ebp = 0x0025c720 Found by: call frame info 2 xul.dll!mozilla::MaybeOneOf<js::jit::JSJitFrameIter,js::wasm::WasmFrameIter>::construct<js::wasm::WasmFrameIter,js::jit::JitActivation * &>(js::jit::JitActivation * &) [MaybeOneOf.h:2d7b8b5dd174 : 109 + 0x13] eip = 0x6002659c esp = 0x0025c728 ebp = 0x0025c730 Found by: call frame info 3 xul.dll!js::JitFrameIter::JitFrameIter(js::jit::JitActivation *) [Stack.cpp:2d7b8b5dd174 : 528 + 0xc] eip = 0x6002b7a8 esp = 0x0025c738 ebp = 0x0025c740 Found by: call frame info 4 xul.dll!js::FrameIter::settleOnActivation() [Stack.cpp:2d7b8b5dd174 : 662 + 0x9] eip = 0x6004561b esp = 0x0025c748 ebp = 0x0025c794 Found by: call frame info 5 xul.dll!js::FrameIter::operator++() [Stack.cpp:2d7b8b5dd174 : 848 + 0x7] eip = 0x6002d5b7 esp = 0x0025c79c ebp = 0x0025c7a8 Found by: call frame info
Calling this s-s under the assumption that compartment asserts tend to be bad news. I haven't been able to reproduce, though :(
Group: javascript-core-security
Flags: needinfo?(luke)
Probably the same as bug 1406041.
Flags: needinfo?(luke) → needinfo?(bbouvier)
Pretty sure this is what happens here (and which is what makes it so hard to reproduce): - wasm tiering has completed and moved to ion code (but the code segment hasn't been registered) - an interrupt occurs and wants to get a Error().stack *after* tiering has completed. These two events are racy, and probably in most cases the interrupt happens before tiering has completed. The assertion is just a sanity check, which doesn't work because of bug 1406041, but won't prevent the code from working correctly. To be clear, a release non-debug build should work fine. Closing as dup.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → DUPLICATE
Priority: -- → P2
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: