Closed
Bug 1439234
Opened 6 years ago
Closed 6 years ago
Crash [@ js::wasm::CallSiteDesc::kind] or Crash [@ ??] or various assertions
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Crash Data
Attachments
(1 file)
|
2.16 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision e7438140bb20 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off):
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(func (export "func_0") (result i32)
call 0
)
)
`));
var g = newGlobal();
g.parent = this;
g.eval("(" + function() {
var dbg = Debugger(parent);
dbg.onEnterFrame = function(frame) {}
} + ")()");
processModule(lfModule, "");
processModule(lfModule, "");
processModule(lfModule, "");
processModule(lfModule, "");
lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(export "assert_0" $func1)
(func $func1 (result i32)
i64.const 13510798882111488
i64.const 2
i64.eq
)
)
`));
processModule(lfModule, "");
processModule(lfModule, "");
processModule(lfModule, "");
processModule(lfModule, "");
function processModule(module, jscode) {
instance = new WebAssembly.Instance(module);
for (let descriptor of WebAssembly.Module.exports(module)) {
switch (descriptor.kind) {
case "function":
try {
print(instance.exports[descriptor.name]())
} catch (exc1) {}
}
}
}
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 js::wasm::CallSiteDesc::kind (this=0x0) at js/src/wasm/WasmTypes.h:1274
#1 WasmHandleDebugTrap () at js/src/wasm/WasmBuiltins.cpp:115
#2 0x2bc9a373 in ?? ()
#3 0xf514df70 in ?? ()
#4 0xf514df70 in ?? ()
#5 0x00001842 in ?? ()
#6 0xf5380490 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
eax 0xffb28398 -5078120
ebx 0x8b0aff4 145797108
ecx 0x8 8
edx 0xffb28398 -5078120
esi 0xf6617800 -161384448
edi 0x0 0
ebp 0xf66a2040 4134150208
esp 0xffb28280 4289888896
eip 0x8631872 <WasmHandleDebugTrap()+98>
=> 0x8631872 <WasmHandleDebugTrap()+98>: movzbl 0x3(%edi),%eax
0x8631876 <WasmHandleDebugTrap()+102>: add $0x10,%esp
I'm seeing various crashes with wasm and Debugger, most of them with no stack. In debug builds, I get various assertions. Marking as fuzzblocker and disabling the Debugger for all wasm fuzzing.
|
Assignee | |
Comment 1•6 years ago
|
||
Debug cloning my old friend, I've come to talk with you again.
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8952097 [details] [diff] [review] debugcloning.patch Review of attachment 8952097 [details] [diff] [review]: ----------------------------------------------------------------- Hah, subtle
Attachment #8952097 -
Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a6805a4f6471 Use the correct segment when initializing a debug-mode cloned Code; r=luke
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/a6805a4f6471
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•