Closed Bug 1530641 Opened 8 months ago Closed 8 months ago

Assertion failure: hasScript(), at js/src/vm/Stack.h:2276 or Crash [@ JSScript::scriptSource]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision d97cc5b9eeae (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

function wasmRunWithDebugger(wast, lib, init, done) {
    let g = newGlobal({newCompartment: true});
    let dbg = new Debugger(g);
    g.eval(`
      var wasm = wasmTextToBinary('${wast}');
      var lib = ${lib || 'undefined'};
      var m = new WebAssembly.Instance(new WebAssembly.Module(wasm), lib);
    `);
    init({ dbg });
    result = g.eval("m.exports.test()");
}
function MjsUnitAssertionError() {};
function failWithMessage() {
    throw new MjsUnitAssertionError();
}
Array.prototype.push = failWithMessage;
function monitorGlobalValues(wast, lib, expected) {
    function setupFrame(frame) {
        var globals = {};
        framesGlobals.push(globals);
    }
    var framesGlobals = [];
    wasmRunWithDebugger(wast, lib, function({ dbg }) {
        dbg.onEnterFrame = function(frame) {
            if (frame.type == "wasmcall")
                setupFrame(frame);
        }
    });
}
monitorGlobalValues('(module (func (export "test") (nop)))');

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  js::FrameIter::script (this=<optimized out>) at js/src/vm/Stack.h:2276
#1  0x0000555555e40074 in js::ErrorReport::populateUncaughtExceptionReportUTF8VA (this=0x7fffffffa1d0, cx=0x7ffff5f17000, ap=ap@entry=0x7fffffff9e30) at js/src/jsexn.cpp:962
#2  0x0000555555e40176 in js::ErrorReport::populateUncaughtExceptionReportUTF8 (this=this@entry=0x7fffffffa1d0, cx=<optimized out>) at js/src/jsexn.cpp:944
#3  0x0000555555e4ec64 in js::ErrorReport::init (this=0x7fffffffa1d0, cx=<optimized out>, exn=..., sniffingBehavior=<optimized out>) at js/src/jsexn.cpp:927
#4  0x000055555584dba2 in js::shell::AutoReportException::~AutoReportException (this=0x7fffffffa330, __in_chrg=<optimized out>) at js/src/shell/js.cpp:9130
#5  0x000055555584e5b5 in EnvironmentPreparer::invoke (this=<optimized out>, global=..., closure=...) at js/src/shell/js.cpp:804
#6  0x0000555555aa1f44 in js::ReportErrorToGlobal (cx=cx@entry=0x7ffff5f17000, global=..., error=error@entry=...) at js/src/vm/ErrorReporting.cpp:143
#7  0x0000555555a1656b in js::Debugger::reportUncaughtException (this=this@entry=0x7ffff5f92800, ar=...) at js/src/vm/Debugger.cpp:1655
#8  0x0000555555a393e4 in js::Debugger::handleUncaughtExceptionHelper (this=this@entry=0x7ffff5f92800, ar=..., vp=vp@entry=0x7fffffffa528, thisVForCheck=..., frame=..., frame@entry=...) at js/src/vm/Debugger.cpp:1704
#9  0x0000555555a3aabf in js::Debugger::handleUncaughtException (frame=..., thisVForCheck=..., vp=..., ar=..., this=0x7ffff5f92800) at js/src/vm/Debugger.cpp:1714
#10 js::Debugger::processHandlerResult (this=this@entry=0x7ffff5f92800, ar=..., success=success@entry=false, rv=..., frame=..., pc=pc@entry=0x0, vp=...) at js/src/vm/Debugger.cpp:1783
#11 0x0000555555a3bb0a in js::Debugger::fireEnterFrame (this=this@entry=0x7ffff5f92800, cx=<optimized out>, cx@entry=0x7ffff5f17000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1989
#12 0x0000555555a3c4c7 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff5f92800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:894
#13 js::Debugger::dispatchHook<js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnEnterFrame(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., hookIsEnabled=..., cx=0x7ffff5f17000) at js/src/vm/Debugger.cpp:2079
#14 js::Debugger::slowPathOnEnterFrame (cx=cx@entry=0x7ffff5f17000, frame=...) at js/src/vm/Debugger.cpp:895
#15 0x00005555563f43c7 in js::Debugger::onEnterFrame (frame=..., cx=0x7ffff5f17000) at js/src/vm/Debugger-inl.h:62
#16 WasmHandleDebugTrap () at js/src/wasm/WasmBuiltins.cpp:90
#17 0x0000048f4a7383f6 in ?? ()
[...]
#30 0x0000000000000000 in ?? ()
rax	0x555557c32280	93825032987264
rbx	0x7fffffffa1d0	140737488331216
rcx	0x555556b0f208	93825015017992
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffff9980	140737488329088
rsp	0x7fffffff9980	140737488329088
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7fffffff99a0	140737488329120
r13	0x7ffff5f17000	140737319628800
r14	0x7fffffffa1d8	140737488331224
r15	0x7fffffff9e30	140737488330288
rip	0x555555866984 <js::FrameIter::script() const+116>
=> 0x555555866984 <js::FrameIter::script() const+116>:	movl   $0x0,0x0
   0x55555586698f <js::FrameIter::script() const+127>:	ud2
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fb90471fe737
Use hasScript() to check if a script exists; r=bhackett
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Assignee: nobody → bbouvier

Can we land the testcase from this bug?

Blocks: 1447244
Flags: needinfo?(bbouvier)

It's a good idea, i'll try to make a reduced test case.

Flags: needinfo?(bbouvier)
Attachment #9047318 - Attachment description: Bug 1530641: Add test case; r?bhackett → Bug 1530641: Add test case; r=bhackett

In the case of arm64 / no-jit, the test exits early because it includes tests/lib/wasm.js which exits early if wasm isn't supported, and the status code is 0. We can't avoid a status code of 3 when wasm is supported, so the fix is to put the test into a directory with no directives, so that it doesn't include tests/lib/wasm.js.

Flags: needinfo?(bbouvier)
You need to log in before you can comment on or make changes to this bug.