Closed
Bug 1406889
Opened 7 years ago
Closed 7 years ago
Assertion failure: hasReturn(), at js/src/wasm/WasmTypes.h:1089
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | wontfix |
| firefox58 | --- | fixed |
People
(Reporter: decoder, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
|
2.33 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 8dba4037f395 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):
function wasmRunWithDebugger(wast, lib, init, done) {
let g = newGlobal('');
let dbg = new Debugger(g);
g.eval(`
var wasm = wasmTextToBinary('${wast}');
var lib = ${lib || 'undefined'};
var m = new WebAssembly.Instance(new WebAssembly.Module(wasm), lib);
`);
var wasmScript = dbg.findScripts().filter(s => s.format == 'wasm')[0];
init({dbg, wasmScript, g,});
result = g.eval("m.exports.test()");
}
enableGeckoProfiling();
enableSingleStepProfiling();
wasmRunWithDebugger('(module (memory 1 1)\
(global (mut f64) (f64.const 0.5))\
(func (param i32) (local f64) (f64.const 1.0) (tee_local 1) (set_global 0) (nop))\
(export "test" 0)\
(data (i32.const 0) "Abc\\x2A"))', undefined, function({
dbg
}) {
dbg.onEnterFrame = function(frame) {};
}
);
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x089936fb in js::wasm::CodeRange::ret (this=0xf7944988) at js/src/wasm/WasmTypes.h:1089
#0 0x089936fb in js::wasm::CodeRange::ret (this=0xf7944988) at js/src/wasm/WasmTypes.h:1089
#1 0x0897d06e in js::wasm::StartUnwinding (activation=..., registers=..., unwindState=0xffffadcc, unwoundCaller=0xffffadcb) at js/src/wasm/WasmFrameIter.cpp:769
#2 0x0897d333 in js::wasm::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffaeec, activation=..., state=...) at js/src/wasm/WasmFrameIter.cpp:858
#3 0x088429b9 in JS::ProfilingFrameIterator::iteratorConstruct (this=0xffffaedc, state=...) at js/src/vm/Stack.cpp:1941
#4 0x088430f5 in JS::ProfilingFrameIterator::ProfilingFrameIterator (this=0xffffaedc, cx=0xf791d000, state=..., sampleBufferGen=4294967295) at js/src/vm/Stack.cpp:1874
#5 0x080a7c39 in SingleStepCallback (arg=0xf791d000, sim=<optimized out>, pc=<optimized out>) at js/src/shell/js.cpp:5309
#6 0x085296ea in js::jit::Simulator::execute<false> (this=0xf7942000) at js/src/jit/arm/Simulator-arm.cpp:4846
#7 js::jit::Simulator::callInternal (this=0xf7942000, entry=0x2be090e0 "\004\340-\345\360\037-\351\020\212", <incomplete sequence \355>) at js/src/jit/arm/Simulator-arm.cpp:4935
#8 0x08529a21 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:5018
#9 0x089abe80 in js::wasm::Instance::callExport (this=0xf51bc580, cx=0xf791d000, funcIndex=0, args=...) at js/src/wasm/WasmInstance.cpp:681
#10 0x089acafd in WasmCall (cx=0xf791d000, argc=0, vp=0xf50a4170) at js/src/wasm/WasmJS.cpp:1164
#11 0x0818f879 in js::CallJSNative (cx=0xf791d000, native=0x89aca40 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#12 0x08184add in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#13 0x08184f3f in InternalCall (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:540
#14 0x08178b4b in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:546
#15 Interpret (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:3085
#16 0x081846ec in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:435
#17 0x08186d2c in js::ExecuteKernel (cx=0xf791d000, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0xffffc000) at js/src/vm/Interpreter.cpp:724
#18 0x081b9677 in EvalKernel (cx=0xf791d000, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., env=..., pc=0x0, vp=...) at js/src/builtin/Eval.cpp:328
#19 0x081b99d0 in js::IndirectEval (cx=0xf791d000, argc=1, vp=0xffffc000) at js/src/builtin/Eval.cpp:421
#20 0x0818f879 in js::CallJSNative (cx=0xf791d000, native=0x81b9910 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#21 0x08184add in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#22 0x08184f3f in InternalCall (cx=cx@entry=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:540
#23 0x081850ea in js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:559
#24 0x086a8f02 in js::ForwardingProxyHandler::call (this=0x8d6c39c <js::CrossCompartmentWrapper::singleton>, cx=0xf791d000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:175
#25 0x08697132 in js::CrossCompartmentWrapper::call (this=0x8d6c39c <js::CrossCompartmentWrapper::singleton>, cx=0xf791d000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:359
#26 0x08691202 in js::Proxy::call (cx=0xf791d000, proxy=..., args=...) at js/src/proxy/Proxy.cpp:512
#27 0x086912d3 in js::proxy_Call (cx=0xf791d000, argc=1, vp=0xf50a4110) at js/src/proxy/Proxy.cpp:787
#28 0x0818f879 in js::CallJSNative (cx=0xf791d000, native=0x8691250 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
[...]
#42 main (argc=3, argv=0xffffce04, envp=0xffffce14) at js/src/shell/js.cpp:8736
eax 0x0 0
ebx 0x8d6cff4 148295668
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0x6e0 1760
edi 0x2be096e0 736138976
ebp 0xffffad38 4294946104
esp 0xffffad30 4294946096
eip 0x89936fb <js::wasm::CodeRange::ret() const+59>
=> 0x89936fb <js::wasm::CodeRange::ret() const+59>: movl $0x0,0x0
0x8993705 <js::wasm::CodeRange::ret() const+69>: ud2
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → luke
|
|
Assignee | |
Comment 1•7 years ago
|
||
Attachment #8917036 -
Flags: review?(bbouvier)
|
||
Comment 2•7 years ago
|
||
Comment on attachment 8917036 [details] [diff] [review] fix-debug-profiling Review of attachment 8917036 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8917036 -
Flags: review?(bbouvier) → review+
|
||
Updated•7 years ago
|
Priority: -- → P2
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3d8a1f95670d Baldr: fix profiling debug-enabled debug (r=bbouvier)
|
|
||
Comment 4•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/3d8a1f95670d
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
|
||
Comment 5•7 years ago
|
||
While 57 is affected, there was no hasReturn() function at this time and just the DEBUG-only assertion would fail on this test case in the CodeRange::ret() function, but the code would work fine in non-debug builds, so probably not worth uplifting.
Blocks: 1329019
status-firefox57:
--- → wontfix
|
||
Updated•7 years ago
|
status-firefox56:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•