Closed Bug 1410192 Opened 7 years ago Closed 7 years ago

Assertion failure: pc, at js/src/vm/SavedStacks.cpp:163 with wasm and Debugger

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(4 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 file)

hoist.patch
2.36 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 87e3813e7939 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --baseline-eager):

g = newGlobal();
g.parent = this;
g.eval("(" + function() {
    Debugger(parent).onExceptionUnwind = function(frame)
    frame.eval("")
} + ")()");
lfModule = new WebAssembly.Module(wasmTextToBinary(`
  (module (import $imp "" "inc") (func) (func $start (call $imp)) (start $start) (export "" $start))
`));
processModule(lfModule, "foo()");
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
        instance = new WebAssembly.Instance(module, imports);
        for (let descriptor of WebAssembly.Module.exports(module)) {
            print(instance.exports[descriptor.name]())
        }
    }
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000000000c1a1cb in js::SavedFrame::Lookup::Lookup (activation=<optimized out>, pc=<optimized out>, framePtr=..., principals=<optimized out>, parent=0x0, asyncCause=0x0, functionDisplayName=<optimized out>, column=<optimized out>, line=<optimized out>, source=0x7ffff46acbc0, this=<optimized out>) at js/src/vm/SavedStacks.cpp:163
#1  mozilla::detail::VectorImpl<js::SavedFrame::Lookup, 60ul, js::TempAllocPolicy, false>::new_<JSAtom*, unsigned long, unsigned int, JSAtom*&, decltype(nullptr), decltype(nullptr), JSPrincipals*&, mozilla::Maybe<mozilla::Variant<js::AbstractFramePtr, js::jit::CommonFrameLayout*> >, unsigned char*, js::Activation*>(js::SavedFrame::Lookup*, JSAtom*&&, unsigned long&&, unsigned int&&, JSAtom*&, decltype(nullptr)&&, decltype(nullptr)&&, JSPrincipals*&, mozilla::Maybe<mozilla::Variant<js::AbstractFramePtr, js::jit::CommonFrameLayout*> >&&, unsigned char*&&, js::Activation*&&) (aDst=<optimized out>) at dist/include/mozilla/Vector.h:66
#2  mozilla::Vector<js::SavedFrame::Lookup, 60ul, js::TempAllocPolicy>::emplaceBack<JSAtom*, unsigned long, unsigned int, JSAtom*&, decltype(nullptr), decltype(nullptr), JSPrincipals*&, mozilla::Maybe<mozilla::Variant<js::AbstractFramePtr, js::jit::CommonFrameLayout*> >, unsigned char*, js::Activation*>(JSAtom*&&, unsigned long&&, unsigned int&&, JSAtom*&, decltype(nullptr)&&, decltype(nullptr)&&, JSPrincipals*&, mozilla::Maybe<mozilla::Variant<js::AbstractFramePtr, js::jit::CommonFrameLayout*> >&&, unsigned char*&&, js::Activation*&&) (this=0x7fffffff9f68) at dist/include/mozilla/Vector.h:709
#3  js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7ffff692b900, cx=cx@entry=0x7ffff6948000, iter=..., frame=..., frame@entry=..., capture=capture@entry=...) at js/src/vm/SavedStacks.cpp:1353
#4  0x0000000000c1ac84 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7ffff692b900, cx=cx@entry=0x7ffff6948000, frame=frame@entry=..., capture=capture@entry=...) at js/src/vm/SavedStacks.cpp:1177
#5  0x0000000000988db7 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0x7ffff6948000, stackp=..., capture=capture@entry=...) at js/src/jsapi.cpp:7733
#6  0x00000000009c2e9b in CaptureStack (cx=<optimized out>, stack=...) at js/src/jsexn.cpp:376
#7  0x0000000000a07fb2 in js::ErrorToException (cx=0x7ffff6948000, reportp=0x7fffffffaa70, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:694
#8  0x000000000098caf4 in js::ReportErrorNumberVA (cx=0x7ffff6948000, flags=flags@entry=0, callback=0x972860 <js::GetErrorMessage(void*, unsigned int)>, userRef=0x0, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffab00, argumentsType=js::ArgumentsAreLatin1) at js/src/jscntxt.cpp:905
#9  0x000000000098cedd in JS_ReportErrorNumberLatin1VA (cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>, ap=ap@entry=0x7fffffffab00) at js/src/jsapi.cpp:6445
#10 0x000000000098cf78 in JS_ReportErrorNumberLatin1 (cx=cx@entry=0x7ffff6948000, errorCallback=errorCallback@entry=0x972860 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=1) at js/src/jsapi.cpp:6434
#11 0x000000000098d645 in js::ReportIsNotDefined (cx=0x7ffff6948000, id=id@entry=...) at js/src/jscntxt.cpp:956
#12 0x000000000098d6cb in js::ReportIsNotDefined (cx=0x7ffff6948000, name=..., name@entry=...) at js/src/jscntxt.cpp:965
#13 0x00000000005603e0 in js::FetchName<(js::GetNameMode)0> (cx=0x7ffff6948000, receiver=..., holder=..., name=..., prop=..., vp=...) at js/src/vm/Interpreter-inl.h:184
#14 0x0000000000624fbb in js::GetEnvironmentName<(js::GetNameMode)0> (vp=..., name=..., envChain=..., cx=<optimized out>) at js/src/vm/Interpreter-inl.h:254
#15 js::jit::DoGetNameFallback (cx=0x7ffff6948000, frame=0x7fffffffb0c8, stub_=<optimized out>, envChain=..., res=...) at js/src/jit/BaselineIC.cpp:1445
#16 0x00001b9703b74837 in ?? ()
[...]
#29 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff46ab948	140737294022984
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffa3a0	140737488331680
rsp	0x7fffffff9dc0	140737488330176
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x7ffff46acbc0	140737294027712
r13	0x0	0
r14	0x7ffff6948000	140737330315264
r15	0x7fffffffa3e0	140737488331744
rip	0xc1a1cb <js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&)+1739>
=> 0xc1a1cb <js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&)+1739>:	movl   $0x0,0x0
   0xc1a1d6 <js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&)+1750>:	ud2
Flags: needinfo?(bbouvier)
Attached patch hoist.patchSplinter Review 
This is not pretty, but this constructor is only used twice, and there's only one use that provides a framePtr, so actually testing the assertion. So we can simply hoist it. I considered adding another optional parameter isWasm=false to the ctor, but felt there was enough already (and it would be only for debug purpose). Happy to change it one way or the other.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Attachment #8920585 - Flags: review?(jdemooij)
Priority: -- → P1
Comment on attachment 8920585 [details] [diff] [review]
hoist.patch

Review of attachment 8920585 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense. Please add a testcase if possible.

::: js/src/vm/SavedStacks.cpp
@@ -158,5 @@
>          pc(pc),
>          activation(activation)
>      {
>          MOZ_ASSERT(source);
> -        MOZ_ASSERT_IF(framePtr.isSome(), activation);

Might be nice to keep this just to document the invariant?
Attachment #8920585 - Flags: review?(jdemooij) → review+
Benjamin should we land this in FF57 or is it shell only or otherwise limited in scope?
status-firefox57: --- → wontfix
Flags: needinfo?(bbouvier)
No need, it's happened after bug 1360211 which landed in 58.
Blocks: 1360211
Flags: needinfo?(bbouvier)
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/01fbcaf5fb27
Hoist assertion testing if we're in wasm when constructing a SavedFrame::Lookup; r=jandem
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5c52d398d8c6
user:        Benjamin Bouvier
date:        Thu Oct 05 11:40:00 2017 +0200
summary:     Bug 1347740: Use a rectifier frame when calling from wasm to jit; r=jandem, r=luke

This iteration took 270.847 seconds to run.
https://hg.mozilla.org/mozilla-central/rev/01fbcaf5fb27
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: