Closed Bug 1437499 Opened 7 years ago Closed 7 years ago

Crash [@ ??] or Assertion failure: frame.exitFrame()->isWrapperExit(), at jit/JitFrames.cpp:1158 with wasm and Debugger

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(2 files, 1 obsolete file)

Testcase
2.09 KB, text/plain
Details
2.implement-wasm-frame-exit.patch
8.08 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision 2b7d42d527af (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. 0x00001f2e1cb42026 in ?? () #0 0x00001f2e1cb42026 in ?? () #1 0x00007fffffffc518 in ?? () #2 0x00007ffff4869400 in ?? () #3 0x00001f2e1cb420d0 in ?? () #4 0x00007fffffffc530 in ?? () #5 0x0000000000000000 in ?? () rax 0x1f2e1cb42320 34282910524192 rbx 0x7ffff4852fe0 140737295757280 rcx 0x7ffff49f5740 140737297471296 rdx 0x1f2e1cb42000 34282910523392 rsi 0xffffffffffff8000 -32768 rdi 0xffef 65519 rbp 0x7fffffffc4f8 140737488340216 rsp 0x7fffffffc4f8 140737488340216 r8 0x2 2 r9 0x3 3 r10 0x7fffffffc648 140737488340552 r11 0x7ffff4852f20 140737295757088 r12 0x7fffffffc540 140737488340288 r13 0x7ffff49f5740 140737297471296 r14 0x7ffff4869400 140737295848448 r15 0x7ffe747f0000 140730852900864 rip 0x1f2e1cb42026 34282910523430 => 0x1f2e1cb42026: mov %si,0x10(%r15,%rdi,1) 0x1f2e1cb4202c: pop %rbp These crashes are hard to distinguish from others, so marking as fuzzblocker.
Attached file Testcase
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attached patch 1.double-escape.patch (obsolete) — Splinter Review
Some trivial issue in binary->text that prevents us from doing a text->binary thereafter.
Attachment #8950294 - Flags: review?(luke)
Attachment #8950294 - Flags: review?(luke) → review+
I really meant to implement this, then did it, then decided it wasn't useful because good reasons, then we changed the design of the jit entry, then I forgot about this again. Comes with a nice refactoring to avoid more code duplication between exit frames called from a JitFrameLayout.
Attachment #8950295 - Flags: review?(jdemooij)
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6130865cac user: Benjamin Bouvier date: Thu Feb 08 14:37:03 2018 +0100 summary: Bug 1319203: Implement the jit-to-wasm entry stub and use it; r=luke, r=jandem This iteration took 277.031 seconds to run.
Comment on attachment 8950295 [details] [diff] [review] 2.implement-wasm-frame-exit.patch Review of attachment 8950295 [details] [diff] [review]: ----------------------------------------------------------------- Nice refactoring!
Attachment #8950295 - Flags: review?(jdemooij) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cdb66b98f4bc Commonize CalledFromJitExitFrameLayout and use it for wasm too; r=jandem
Comment on attachment 8950294 [details] [diff] [review] 1.double-escape.patch Dropped this patch because it caused issues with wasm-full-cycle and it isn't worth worrying too much about it.
Attachment #8950294 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/cdb66b98f4bc
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: