Assertion failure: jitCaller->footer()->type() == jit::ExitFrameType::DirectWasmJitCall, at js/src/wasm/WasmFrameIter.cpp:139 or Crash [@ js::wasm::DebugFrame::hasGlobal]
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: yury)
References
Details
(5 keywords, Whiteboard: [bugmon:update,bisect])
Crash Data
Attachments
(3 files)
2.21 KB,
text/plain
|
Details | |
590 bytes,
text/plain
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
The following testcase crashes on mozilla-central revision 20231127-edf9292c0bc9 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):
b = {}
c = d = new Proxy(b, {
"deleteProperty"() {
e = newGlobal()
e.parent = c
e.eval("var dbg = new Debugger(parent); dbg.onEnterFrame = function() {}")}
})
delete d.footrue;
function h(i) {
binary = wasmTextToBinary(i)
try {
j = new WebAssembly.Module(binary)
} catch {}
return new WebAssembly.Instance(j)
}
ins = h(`
(func $f (param i64 i64)
)
(func $g (param i64)
i64.const 6
i64.const 3
return_call $f
)
(func (export "run") (param i64)
local.get 0
call $g
)`)
ins.exports.run(100n)
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x592d458e in js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*) ()
#0 0x592d458e in js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*) ()
#1 0x592c37bf in js::wasm::DebugFrame::hasGlobal(js::GlobalObject const*) const ()
#2 0x58649ba9 in js::Debugger::removeDebuggeeGlobal(JS::GCContext*, js::GlobalObject*, mozilla::detail::HashTable<js::WeakHeapPtr<js::GlobalObject*> const, mozilla::HashSet<js::WeakHeapPtr<js::GlobalObject*>, js::StableCellHasher<js::WeakHeapPtr<js::GlobalObject*> >, js::TrackedAllocPolicy<(js::TrackingKind)1> >::SetHashPolicy, js::TrackedAllocPolicy<(js::TrackingKind)1> >::Enum*, js::Debugger::FromSweep) ()
#3 0x58648d47 in js::DebugAPI::sweepAll(JS::GCContext*) ()
#4 0x589b6dc6 in js::gc::GCRuntime::sweepDebuggerOnMainThread(JS::GCContext*) ()
#5 0x589b83f3 in js::gc::GCRuntime::beginSweepingSweepGroup(JS::GCContext*, js::SliceBudget&) ()
#6 0x589dec16 in sweepaction::SweepActionCall::run(js::gc::SweepAction::Args&) ()
#7 0x589e6868 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) ()
#8 0x589de773 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) ()
#9 0x589bd737 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) ()
#10 0x58900940 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) ()
#11 0x58903e1b in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) ()
#12 0x589054da in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) ()
#13 0x588ce530 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) ()
#14 0x5832385c in JSRuntime::destroyRuntime() ()
#15 0x5819fe8b in js::DestroyContext(JSContext*) ()
#16 0x57db9365 in main ()
eax 0x56702301 1450189569
ebx 0x598cd2b8 1502401208
ecx 0x598ceedc 1502408412
edx 0x0 0
esi 0xffffbf68 -16536
edi 0x593118a7 1496389799
ebp 0xffffc948 4294953288
esp 0xffffc920 4294953248
eip 0x592d458e <js::wasm::GetNearestEffectiveInstance(js::wasm::Frame const*)+350>
=> 0x592d458e <_ZN2js4wasm27GetNearestEffectiveInstanceEPKNS0_5FrameE+350>: movl $0x8b,0x0
0x592d4598 <_ZN2js4wasm27GetNearestEffectiveInstanceEPKNS0_5FrameE+360>: call 0x57e51260 <abort>
Likely not more than sec-moderate at most due to Debugger involved. This test only reproduces on 32-bit but I have seen similar signatures on 64-bit.
Reporter | ||
Comment 1•10 months ago
|
||
Reporter | ||
Comment 2•10 months ago
|
||
Comment 3•10 months ago
|
||
Unable to reproduce bug 1866839 using build mozilla-central 20231127092818-edf9292c0bc9. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 4•10 months ago
|
||
Yury, looks related to the debug and tail calls issue you fixed recently. Can you take a look?
Assignee | ||
Comment 5•10 months ago
|
||
Updated•10 months ago
|
Updated•10 months ago
|
Updated•10 months ago
|
Comment 6•10 months ago
|
||
:yury I set Bug 1846534 as the regressor but could you confirm that is correct?
Assignee | ||
Comment 7•10 months ago
•
|
||
(In reply to Donal Meehan [:dmeehan] from comment #6)
:yury I set Bug 1846534 as the regressor but could you confirm that is correct?
It is similar to bug 1865044. Its patch does not fully addresses the problem.
Assignee | ||
Updated•10 months ago
|
Updated•10 months ago
|
Assignee | ||
Comment 8•10 months ago
|
||
Comment on attachment 9365934 [details]
Bug 1866839 - Track LeaveFrame for tail calls. r?rhunt
Beta/Release Uplift Approval Request
- User impact if declined: May cause as crash while debugging wasm program with tail calls.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): affects only wasm tail calls feature and debugger
- String changes made/needed:
- Is Android affected?: Unknown
Comment 10•10 months ago
•
|
||
Comment 11•10 months ago
|
||
Comment on attachment 9365934 [details]
Bug 1866839 - Track LeaveFrame for tail calls. r?rhunt
Approved for 121.0b7.
Comment 12•10 months ago
|
||
uplift |
Updated•10 months ago
|
Updated•10 months ago
|
Assignee | ||
Updated•9 months ago
|
Comment 13•5 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•