Closed Bug 1437499 Opened 4 years ago Closed 4 years ago

Crash [@ ??] or Assertion failure: frame.exitFrame()->isWrapperExit(), at jit/JitFrames.cpp:1158 with wasm and Debugger

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

The following testcase crashes on mozilla-central revision 2b7d42d527af (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

See attachment.


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00001f2e1cb42026 in ?? ()
#0  0x00001f2e1cb42026 in ?? ()
#1  0x00007fffffffc518 in ?? ()
#2  0x00007ffff4869400 in ?? ()
#3  0x00001f2e1cb420d0 in ?? ()
#4  0x00007fffffffc530 in ?? ()
#5  0x0000000000000000 in ?? ()
rax	0x1f2e1cb42320	34282910524192
rbx	0x7ffff4852fe0	140737295757280
rcx	0x7ffff49f5740	140737297471296
rdx	0x1f2e1cb42000	34282910523392
rsi	0xffffffffffff8000	-32768
rdi	0xffef	65519
rbp	0x7fffffffc4f8	140737488340216
rsp	0x7fffffffc4f8	140737488340216
r8	0x2	2
r9	0x3	3
r10	0x7fffffffc648	140737488340552
r11	0x7ffff4852f20	140737295757088
r12	0x7fffffffc540	140737488340288
r13	0x7ffff49f5740	140737297471296
r14	0x7ffff4869400	140737295848448
r15	0x7ffe747f0000	140730852900864
rip	0x1f2e1cb42026	34282910523430
=> 0x1f2e1cb42026:	mov    %si,0x10(%r15,%rdi,1)
   0x1f2e1cb4202c:	pop    %rbp


These crashes are hard to distinguish from others, so marking as fuzzblocker.
Attached file Testcase
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attached patch 1.double-escape.patch (obsolete) — Splinter Review
Some trivial issue in binary->text that prevents us from doing a text->binary thereafter.
Attachment #8950294 - Flags: review?(luke)
Attachment #8950294 - Flags: review?(luke) → review+
I really meant to implement this, then did it, then decided it wasn't useful because good reasons, then we changed the design of the jit entry, then I forgot about this again.

Comes with a nice refactoring to avoid more code duplication between exit frames called from a JitFrameLayout.
Attachment #8950295 - Flags: review?(jdemooij)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/cb6130865cac
user:        Benjamin Bouvier
date:        Thu Feb 08 14:37:03 2018 +0100
summary:     Bug 1319203: Implement the jit-to-wasm entry stub and use it; r=luke, r=jandem

This iteration took 277.031 seconds to run.
Comment on attachment 8950295 [details] [diff] [review]
2.implement-wasm-frame-exit.patch

Review of attachment 8950295 [details] [diff] [review]:
-----------------------------------------------------------------

Nice refactoring!
Attachment #8950295 - Flags: review?(jdemooij) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cdb66b98f4bc
Commonize CalledFromJitExitFrameLayout and use it for wasm too; r=jandem
Comment on attachment 8950294 [details] [diff] [review]
1.double-escape.patch

Dropped this patch because it caused issues with wasm-full-cycle and it isn't worth worrying too much about it.
Attachment #8950294 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/cdb66b98f4bc
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.