Closed Bug 1445966 Opened 6 years ago Closed 6 years ago

Assertion failure: wasmExitFP()->instance()->code().containsCodePC(rt->wasmTrapData->unwoundPC), at js/src/vm/Stack.cpp:1798 or Crash [@ js::wasm::WasmFrameIter::functionDisplayAtom]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: decoder, Assigned: luke)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

fix-trapping
10.57 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision fcb11e93adf5+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

const USE_ASM = '"use asm";';
function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}
function asmLink(f) {
    var ret = f.apply(null, Array.slice(arguments, 1));
    return ret;
}
evaluate(`
  var ffi = function(enable) {
    enableSingleStepProfiling();
  }
  var f = asmLink(asmCompile('global', 'ffis',
  USE_ASM + \`
    var ffi=ffis.ffi;
    function f(i) {
      i=i|0;
      ffi(i|0);
    } return f
  \`), null, {
    ffi
  });
  var Error = eval(Object(f));
  function runWasmWithDebugger(wast, lib, init, done) {
    let g = newGlobal('');
    let dbg = new Debugger(g);
    g.eval(\`
      var wasm = wasmTextToBinary('\${wast}');
      var lib = \${lib || 'undefined'};
      var m = new WebAssembly.Instance(new WebAssembly.Module(wasm), lib);
    \`);
    init(dbg, g);
    result = g.eval("m.exports.test()");
  }
  runWasmWithDebugger(
    '(module (func (unreachable)) (export "test" 0))', undefined,
    function (dbg) {
        dbg.onEnterFrame = function (frame) {
            frame.onPop = function () {
                throw new Error();
            }
        };
    }
  );
`);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000c14fb4 in js::jit::JitActivation::isWasmTrapping (this=this@entry=0x7fff99bfaba0) at js/src/vm/Stack.cpp:1798
#1  0x0000000000d797d1 in js::wasm::WasmFrameIter::WasmFrameIter (this=0x7fff99bf8da8, activation=0x7fff99bfaba0, fp=<optimized out>) at js/src/wasm/WasmFrameIter.cpp:51
#2  0x0000000000c1f548 in mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::construct<js::wasm::WasmFrameIter, js::jit::JitActivation*&> (this=0x7fff99bf8da8) at dist/include/mozilla/MaybeOneOf.h:109
#3  js::JitFrameIter::JitFrameIter (this=0x7fff99bf8da0, act=<optimized out>, mustUnwindActivation=<optimized out>) at js/src/vm/Stack.cpp:507
#4  0x0000000000c2154d in js::FrameIter::settleOnActivation (this=0x7fff99bf9500) at js/src/vm/Stack.cpp:689
#5  0x0000000000c28b18 in js::FrameIter::operator++ (this=0x7fff99bf9500) at js/src/vm/Stack.cpp:875
#6  0x0000000000c28bcd in js::FrameIter::operator++ (this=this@entry=0x7fff99bf9500) at js/src/vm/Stack.cpp:856
#7  0x0000000000bfc278 in js::SavedStacks::insertFrames(JSContext*, js::FrameIter&, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=this@entry=0x7fbbd623e0f8, cx=cx@entry=0x7fbbd6216000, iter=..., frame=..., capture=capture@entry=...) at js/src/vm/SavedStacks.cpp:1417
#8  0x0000000000bfcc66 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0x7fbbd623e0f8, cx=cx@entry=0x7fbbd6216000, frame=..., capture=...) at js/src/vm/SavedStacks.cpp:1225
#9  0x00000000009c630a in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0x7fbbd6216000, stackp=..., capture=...) at js/src/jsapi.cpp:7749
#10 0x00000000009c63eb in CaptureStack (cx=<optimized out>, stack=...) at js/src/jsexn.cpp:369
#11 0x00000000009d9fb2 in js::ErrorToException (cx=0x7fbbd6216000, reportp=0x7fff99bf9c00, callback=<optimized out>, userRef=<optimized out>) at js/src/jsexn.cpp:685
#12 0x0000000000b3e431 in js::ReportErrorVA (cx=cx@entry=0x7fbbd6216000, flags=flags@entry=0, format=format@entry=0x1238dc0 "single-step profiling not enabled on this platform", argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0x7fff99bf9c90) at js/src/vm/JSContext.cpp:484
#13 0x00000000009c3258 in JS_ReportErrorASCII (cx=0x7fbbd6216000, format=0x1238dc0 "single-step profiling not enabled on this platform") at js/src/jsapi.cpp:6389
#14 0x000000000044e022 in EnableSingleStepProfiling(JSContext*, unsigned int, JS::Value*) () at dist/include/mozilla/Vector.h:520
#15 0x000000000057a81d in js::CallJSNative (cx=0x7fbbd6216000, native=0x44e010 <EnableSingleStepProfiling(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
[...]
#22 0x000000000056f1fd in InternalCall (cx=0x7fbbd6216000, args=...) at js/src/vm/Interpreter.cpp:516
#23 0x000000000056f380 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#24 0x0000000000dbad6b in js::wasm::Instance::callImport (this=this@entry=0x7fbbd4cfb660, cx=0x7fbbd6216000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=1, argv=argv@entry=0x7fff99bfa9c0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:168
#25 0x0000000000dbb4cb in js::wasm::Instance::callImport_void (instance=0x7fbbd4cfb660, funcImportIndex=0, argc=1, argv=0x7fff99bfa9c0) at js/src/wasm/WasmInstance.cpp:251
#26 0x000036912de150e2 in ?? ()
[...]
#32 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fff99bfaba0	140735772863392
rcx	0x7fbbd6f522ad	140444742001325
rdx	0x0	0
rsi	0x7fbbd7221770	140444744947568
rdi	0x7fbbd7220540	140444744942912
rbp	0x7fff99bf8d30	140735772855600
rsp	0x7fff99bf8d10	140735772855568
r8	0x7fbbd7221770	140444744947568
r9	0x7fbbd8312780	140444762711936
r10	0x58	88
r11	0x7fbbd6ec87a0	140444741437344
r12	0x7fbbd621a000	140444728139776
r13	0x7fff99bfaba0	140735772863392
r14	0x7fff99bfa420	140735772861472
r15	0x7fff99bfaba0	140735772863392
rip	0xc14fb4 <js::jit::JitActivation::isWasmTrapping() const+292>
=> 0xc14fb4 <js::jit::JitActivation::isWasmTrapping() const+292>:	movl   $0x0,0x0
   0xc14fbf <js::jit::JitActivation::isWasmTrapping() const+303>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/947a058e42b9
user:        Luke Wagner
date:        Wed Jan 10 12:35:38 2018 -0600
summary:     Bug 1428453 - Baldr: use hardware traps for Trap::Unreachable (r=bbouvier)

This iteration took 277.639 seconds to run.
The fundamental problem here is that wasm::HandleThrow() calls the Debugger::onLeaveFrame hook with isWasmTrapping()=true still true which allows nested trapping which breaks the fundamental singleton assumption of Runtime::wasmTrapData.  Fortunately, I don't think this could arise in realistic FF devtools usage.

So the obvious fix is to clear the trapping state early (before the onLeaveFrame call) but this has the inverse problem that the trapping state is useful to synthesize a trapping frame which means that we lose the innermost wasm frame in debugger stacks.

Fundamentally, I think this proves we need to support nested trapping states by moving wasmTrapData_ from the Runtime to the JitActivation.  Fortunately, this is quite easy and even simplifies the code.
Attached patch fix-trappingSplinter Review 
Assignee: nobody → luke

        Attachment #8959391 -
        Flags: review?(bbouvier)

    
    

    
  
Comment on attachment 8959391 [details] [diff] [review]
fix-trapping

Review of attachment 8959391 [details] [diff] [review]:
-----------------------------------------------------------------

It's a bit unfortunate to have to implement this for something that wouldn't realistically happen, but it's a nice simplification. LGTM, thanks.

::: js/src/vm/Stack.h
@@ +28,5 @@
>  #include "vm/JSScript.h"
>  #include "vm/SavedFrame.h"
>  #include "wasm/WasmFrameIter.h"
>  #include "wasm/WasmTypes.h"
> +#include "wasm/WasmSignalHandlers.h"

nit: include should stay in alphabetical order

        Attachment #8959391 -
        Flags: review?(bbouvier) → review+
Priority: -- → P1

    
    

    
  
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e2812f291edf
Baldr: move wasm trap state from JSRuntime to JitActivation (r=bbouvier)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e2812f291edf
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox61:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61

    
    

    
  
AFAICT this affects 60 as well. Does it need uplift consideration or can it ride the trains?

          status-firefox59:
          --- → unaffected

          status-firefox60:
          --- → affected

          status-firefox-esr52:
          --- → unaffected
Flags: needinfo?(luke)

    
    

    
  
Since it's debug-only and I think only for pathological scenarios, I was thinking of letting it ride the trains.
Flags: needinfo?(luke)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: