Closed
Bug 1455612
Opened 6 years ago
Closed 6 years ago
Assertion failure: state == Type2State<T>::result, at mozilla/MaybeOneOf.h:61 with wasm and Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | - | wontfix |
firefox59 | --- | unaffected |
firefox60 | - | wontfix |
firefox61 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
2.34 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cc0d7de218cb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): var evalInFrame = (function (global) { var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); return function evalInFrame(upCount, code) { dbg.addDebuggee(global); var frame = dbg.getNewestFrame().older; for (var i = 0; i < upCount; i++) { if (!frame.older) break; frame = frame.older; } var completion = frame.eval(code); }; })(this); Object.defineProperty(this, "fuzzutils", { }); var lfCodeBuffer = ""; var lfGlobalFunc = undefined; var lfModule = new WebAssembly.Module(wasmTextToBinary(` (module (import "global" "func" (result i32)) (func (export "func_0") (result i32) call 0 ;; calls the import, which is func #0 ) ) `)); for (i = 0; i < 20; ++i) processCode(` evalInFrame(1, "a = 43"); `); function processCode(lfVarx) { try { processModule(lfModule, lfVarx); } catch (lfVare) {} } function processModule(module, jscode) { imports = {} for (let descriptor of WebAssembly.Module.imports(module)) { imports[descriptor.module] = {} if (lfGlobalFunc) {} else { imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode); try { instance = new WebAssembly.Instance(module, imports); } catch (exc) {} } } for (let descriptor of WebAssembly.Module.exports(module)) { switch (descriptor.kind) { case "function": print(instance.exports[descriptor.name]()) } } } Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x0000000000aad39c in mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::as<js::jit::JSJitFrameIter> (this=<optimized out>) at dist/include/mozilla/MaybeOneOf.h:61 #1 0x0000000000c6f810 in mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::ref<js::jit::JSJitFrameIter> (this=0x7fffffff8848) at dist/include/mozilla/MaybeOneOf.h:115 #2 js::JitFrameIter::asJSJit (this=0x7fffffff8840) at js/src/vm/Stack.h:1939 #3 js::FrameIter::jsJitFrame (this=0x7fffffff87f0) at js/src/vm/Stack.h:2172 #4 js::FrameIter::updatePcQuadratic (this=0x7fffffff87f0) at js/src/vm/Stack.cpp:1149 #5 0x0000000000b14d9f in js::DebuggerFrame::eval (cx=0x7ffff5f15000, frame=frame@entry=..., chars=..., bindings=..., bindings@entry=..., options=..., resumeMode=@0x7fffffff8cd4: 32767, value=value@entry=...) at js/src/vm/Debugger.cpp:7980 #6 0x0000000000b15296 in js::DebuggerFrame::evalMethod (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8571 #7 0x00000000005b2e4e in js::CallJSNative (cx=0x7ffff5f15000, native=0xb14e20 <js::DebuggerFrame::evalMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280 #8 0x00000000005a77af in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #9 0x00000000005a7b8d in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516 #10 0x00000000005a7d10 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #11 0x0000000000a6bb61 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=<optimized out>, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:176 #12 0x0000000000a5e813 in js::CrossCompartmentWrapper::call (this=0x20bd890 <js::CrossCompartmentWrapper::singleton>, cx=<optimized out>, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:358 #13 0x0000000000a561a5 in js::Proxy::call (cx=0x7ffff5f15000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:510 #14 0x0000000000a5626d in js::proxy_Call (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:769 #15 0x00000000005b2e4e in js::CallJSNative (cx=0x7ffff5f15000, native=0xa561f0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280 #16 0x00000000005a7acd in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:449 #17 0x00000000005a7b8d in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516 #18 0x00000000005a7cda in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:522 #19 0x000000000068cde3 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffff9a48, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff99e0, res=...) at js/src/jit/BaselineIC.cpp:2380 #20 0x000010b30e11371c in ?? () [...] #43 0xfffe7ffff4cd75c0 in ?? () rax 0x0 0 rbx 0x7fffffff87f0 140737488324592 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff8710 140737488324368 rsp 0x7fffffff8710 140737488324368 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x0 0 r11 0x0 0 r12 0x7fffffff8848 140737488324680 r13 0x7fffffffacb8 140737488334008 r14 0x7fffffff8840 140737488324672 r15 0x7fffffff8730 140737488324400 rip 0xaad39c <mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::as<js::jit::JSJitFrameIter>()+44> => 0xaad39c <mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::as<js::jit::JSJitFrameIter>()+44>: movl $0x0,0x0 0xaad3a7 <mozilla::MaybeOneOf<js::jit::JSJitFrameIter, js::wasm::WasmFrameIter>::as<js::jit::JSJitFrameIter>()+55>: ud2
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•6 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6130865cac user: Benjamin Bouvier date: Thu Feb 08 14:37:03 2018 +0100 summary: Bug 1319203: Implement the jit-to-wasm entry stub and use it; r=luke, r=jandem This iteration took 1.797 seconds to run.
Benjamin, is bug 1319203 a likely regressor?
Blocks: 1319203
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 3•6 years ago
|
||
Good catch, indeed the updatePcQuadratic function should skip wasm frames. Trivial fix.
Flags: needinfo?(bbouvier)
Assignee | ||
Comment 4•6 years ago
|
||
Assignee | ||
Comment 5•6 years ago
|
||
Tracking requested: may cause crashes or incorrect behaviors when debugging wasm code.
status-firefox60:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox60:
--- → ?
tracking-firefox-esr60:
--- → ?
Updated•6 years ago
|
Attachment #8970174 -
Flags: review?(jdemooij) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/84ac907189ef Skip wasm frames in updatePcQuadratic; r=jandem
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/84ac907189ef
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Comment 8•6 years ago
|
||
Doesn't seem worth it for 60 at this point.
Comment 9•6 years ago
|
||
Doesn't seem worth taking on ESR60 either, but feel free to set the status back to affected and nominate for approval if you strongly disagree.
You need to log in
before you can comment on or make changes to this bug.
Description
•