Closed Bug 1644759 Opened 5 years ago Closed 5 years ago

Hit MOZ_CRASH(unhandled type in ToJSValue) at wasm/WasmInstance.cpp:283 with Debugger

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox77 --- unaffected
firefox78 --- disabled
firefox79 --- verified

People

(Reporter: decoder, Assigned: lth)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
590 bytes, text/plain
Details
Bug 1644759 - Add ToJSValue_v128. r=rhunt
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200608-63dc5e9b1b02 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

var g7 = newGlobal({newCompartment: true});
g7.parent = this;
g7.eval(`
    Debugger(parent).onEnterFrame = function(frame) {    };
`);
function wasmEvalText(str, imports) {
    let binary = wasmTextToBinary(str);
    m = new WebAssembly.Module(binary);
    return new WebAssembly.Instance(m, imports);
}
var ins = wasmEvalText(`
    (memory (export "mem") 1 1)
    (func (export "run") 
      (param $k i32)
      (v128.store (i32.const 0) (call $f (local.get $k)))
    )
    (func $f 
      (param $k i32)
      (result v128)
      (v128.const i32x4 5 6 7 8)
    )
`);
ins.exports.run(0);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555569105fb in bool ToJSValue<DebugCodegenVal>(JSContext*, void const*, js::wasm::ValType, JS::MutableHandle<JS::Value>) ()
#0  0x00005555569105fb in bool ToJSValue<DebugCodegenVal>(JSContext*, void const*, js::wasm::ValType, JS::MutableHandle<JS::Value>) ()
#1  0x000055555690fc30 in js::wasm::ResultsToJSValue(JSContext*, js::wasm::ResultType, void*, mozilla::Maybe<char*>, JS::MutableHandle<JS::Value>) ()
#2  0x00005555569ad839 in js::wasm::DebugFrame::updateReturnJSValue(JSContext*) ()
#3  0x000055555687a86a in WasmHandleDebugTrap() ()
#4  0x000005febad425c6 in ?? ()
[...]
#20 0x0000000000000000 in ?? ()
rax	0x55555712ea27	93825021438503
rbx	0x7fffffffb1e0	140737488335328
rcx	0x555558369980	93825040554368
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffaeb0	140737488334512
rsp	0x7fffffffae70	140737488334448
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0x7fffffffb1e0	140737488335328
r13	0x7ffff6027000	140737320742912
r14	0x7fffffffb1f0	140737488335344
r15	0x7ffff6027000	140737320742912
rip	0x5555569105fb <bool ToJSValue<DebugCodegenVal>(JSContext*, void const*, js::wasm::ValType, JS::MutableHandle<JS::Value>)+859>
=> 0x5555569105fb <_ZL9ToJSValueI15DebugCodegenValEbP9JSContextPKvN2js4wasm7ValTypeEN2JS13MutableHandleINS8_5ValueEEE+859>:	movl   $0x11b,0x0
   0x555556910606 <_ZL9ToJSValueI15DebugCodegenValEbP9JSContextPKvN2js4wasm7ValTypeEN2JS13MutableHandleINS8_5ValueEEE+870>:	callq  0x55555583f74e <abort>
Attached file Testcase

Just having all kinds of fun, aren't we?

Assignee: nobody → lhansen
Status: NEW → ASSIGNED

(In reply to Lars T Hansen [:lth] from comment #2)

Just having all kinds of fun, aren't we?

😇

Blocks: 1640593
Severity: -- → S4
Priority: -- → P3

While JS can't observe v128 values, the debugger API can, so
implement a case in ToJSValue for this. Other guards will
ensure that these values (which are somewhat wrong) are not
seen by JS.

Alternative representations to the synthetic one I've chosen here include array-of-byte, array-of-int32, Int8Array, and Int32Array, among others. I decided these are not worth pursuing now but may be worth pursuing as a part of a larger debugging support agenda (bug 1640593, I will annotate there). Discuss.

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200611093454-10ad7868f3ca. The bug appears to have been introduced in the following build range: > Start: 5c834683487fb3a438004cc64b2a6a7a48cc265e (20200520070325) > End: 38d4e11b069b609199ed6017ce80e199d2c5773b (20200520071237) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5c834683487fb3a438004cc64b2a6a7a48cc265e&tochange=38d4e11b069b609199ed6017ce80e199d2c5773b
Attachment #9155886 - Attachment description: Bug 1644759 - Add ToJSValue_v128. r?rhunt → Bug 1644759 - Add ToJSValue_v128. r=rhunt

https://hg.mozilla.org/mozilla-central/rev/0290a1549a6e

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox79: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Status: RESOLVED → VERIFIED
status-firefox79: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200615163035-4fdcaa5d6ec3. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: