1866839 - Assertion failure: jitCaller->footer()->type() == jit::ExitFrameType::DirectWasmJitCall, at js/src/wasm/WasmFrameIter.cpp:139 or Crash [@ js::wasm::DebugFrame::hasGlobal]

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20231127-edf9292c0bc9 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):

b = {}
c = d = new Proxy(b, {
  "deleteProperty"() {
    e = newGlobal()
    e.parent = c
    e.eval("var dbg = new Debugger(parent); dbg.onEnterFrame = function() {}")}
})
delete d.footrue;
function h(i) {
    binary = wasmTextToBinary(i)
    try {
        j = new WebAssembly.Module(binary)
    } catch {}
    return new WebAssembly.Instance(j)
}
ins = h(`
    (func $f (param i64 i64)
        )
    (func $g (param i64)
        i64.const 6
        i64.const 3
        return_call $f
    )
    (func (export "run") (param i64)
        local.get 0
        call $g
)`)
ins.exports.run(100n)

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x592d458e in js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*) ()
#0  0x592d458e in js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*) ()
#1  0x592c37bf in js::wasm::DebugFrame::hasGlobal(js::GlobalObject const*) const ()
#2  0x58649ba9 in js::Debugger::removeDebuggeeGlobal(JS::GCContext*, js::GlobalObject*, mozilla::detail::HashTable<js::WeakHeapPtr<js::GlobalObject*> const, mozilla::HashSet<js::WeakHeapPtr<js::GlobalObject*>, js::StableCellHasher<js::WeakHeapPtr<js::GlobalObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::SetHashPolicy, js::TrackedAllocPolicy<(js::TrackingKind)1> >::Enum*, js::Debugger::FromSweep) ()
#3  0x58648d47 in js::DebugAPI::sweepAll(JS::GCContext*) ()
#4  0x589b6dc6 in js::gc::GCRuntime::sweepDebuggerOnMainThread(JS::GCContext*) ()
#5  0x589b83f3 in js::gc::GCRuntime::beginSweepingSweepGroup(JS::GCContext*, js::SliceBudget&) ()
#6  0x589dec16 in sweepaction::SweepActionCall::run(js::gc::SweepAction::Args&) ()
#7  0x589e6868 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#8  0x589de773 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#9  0x589bd737 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#10 0x58900940 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#11 0x58903e1b in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#12 0x589054da in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#13 0x588ce530 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#14 0x5832385c in JSRuntime::destroyRuntime() ()
#15 0x5819fe8b in js::DestroyContext(JSContext*) ()
#16 0x57db9365 in main ()
eax	0x56702301	1450189569
ebx	0x598cd2b8	1502401208
ecx	0x598ceedc	1502408412
edx	0x0	0
esi	0xffffbf68	-16536
edi	0x593118a7	1496389799
ebp	0xffffc948	4294953288
esp	0xffffc920	4294953248
eip	0x592d458e <js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*)+350>
=> 0x592d458e <_ZN2js4wasm27GetNearestEffectiveInstanceEPKNS0_5FrameE+350>:	movl   $0x8b,0x0
   0x592d4598 <_ZN2js4wasm27GetNearestEffectiveInstanceEPKNS0_5FrameE+360>:	call   0x57e51260 <abort>

Likely not more than sec-moderate at most due to Debugger involved. This test only reproduces on 32-bit but I have seen similar signatures on 64-bit.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1866839 using build mozilla-central 20231127092818-edf9292c0bc9. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 4

[Ryan Hunt [:rhunt]]

Yury, looks related to the debug and tail calls issue you fixed recently. Can you take a look?

Comment 5

[Yury Delendik (:yury)]

Attachment: Bug 1866839 - Track LeaveFrame for tail calls. r?rhunt

Comment 6

[Donal Meehan [:dmeehan]]

:yury I set Bug 1846534 as the regressor but could you confirm that is correct?

Comment 7

[Yury Delendik (:yury)]

(In reply to Donal Meehan [:dmeehan] from comment #6)

:yury I set Bug 1846534 as the regressor but could you confirm that is correct?

It is similar to bug 1865044. Its patch does not fully addresses the problem.

Comment 8

[Yury Delendik (:yury)]

Comment on attachment 9365934 [details]
Bug 1866839 - Track LeaveFrame for tail calls. r?rhunt

Beta/Release Uplift Approval Request

• User impact if declined: May cause as crash while debugging wasm program with tail calls.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): affects only wasm tail calls feature and debugger
• String changes made/needed:
• Is Android affected?: Unknown

Comment 9

[Pulsebot]

Pushed by ydelendik@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa0194bedfe4
Track LeaveFrame for tail calls. r=rhunt

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/aa0194bedfe4

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9365934 [details]
Bug 1866839 - Track LeaveFrame for tail calls. r?rhunt

Approved for 121.0b7.

Comment 12

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/838d79d0dcef

Comment 13

[Daniel Veditz [:dveditz]]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter