The following testcase crashes on mozilla-central revision 2963cf6be7f8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe): let lfModule = new WebAssembly.Module(wasmTextToBinary(` (module (import "global" "func" (result i32)) (func (export "func_0") (result i32) call 0 ;; calls the import, which is func #0 ) ) `)); processModule(lfModule, ` let g = newGlobal(); let dbg = new Debugger(g); function test(string, mustBeCaught) { dbg.onExceptionUnwind = function (frame) { frame = frame.older; }; g.eval(string); } test("throw new Error();", [false]); `); function processModule(module, jscode) { imports = {} for (let descriptor of WebAssembly.Module.imports(module)) { imports[descriptor.module] = {} imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode); instance = new WebAssembly.Instance(module, imports); } for (let descriptor of WebAssembly.Module.exports(module)) { switch (descriptor.kind) { case "function": print(instance.exports[descriptor.name]()) } } } Backtrace: received signal SIGSEGV, Segmentation fault. js::wasm::FrameIterator::instance (this=this@entry=0x7fffffff9158) at js/src/wasm/WasmFrameIterator.cpp:223 #0 js::wasm::FrameIterator::instance (this=this@entry=0x7fffffff9158) at js/src/wasm/WasmFrameIterator.cpp:223 #1 0x0000000000a6895c in js::FrameIter::wasmInstance (this=0x7fffffff90c8) at js/src/vm/Stack.h:2064 #2 js::Debugger::observesFrame (this=0x7ffff693e800, iter=...) at js/src/vm/Debugger.cpp:6301 #3 0x0000000000a963eb in js::DebuggerFrame::getOlder (cx=0x7ffff695f000, frame=..., frame@entry=..., result=..., result@entry=...) at js/src/vm/Debugger.cpp:7514 #4 0x0000000000a96576 in js::DebuggerFrame::olderGetter (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:8189 #5 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa964c0 <js::DebuggerFrame::olderGetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #6 0x0000000000542311 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457 #7 0x0000000000542726 in InternalCall (cx=cx@entry=0x7ffff695f000, args=...) at js/src/vm/Interpreter.cpp:502 #8 0x00000000005432a7 in js::Call (rval=..., args=..., thisv=..., fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.cpp:521 #9 js::CallGetter (cx=0x7ffff695f000, thisv=thisv@entry=..., getter=getter@entry=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:635 #10 0x0000000000b39cc4 in CallGetter (vp=..., shape=..., receiver=..., obj=..., cx=0x7ffff695f000) at js/src/vm/NativeObject.cpp:1809 #11 GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff695f000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1857 #12 0x0000000000b3a9ac in NativeGetPropertyInline<(js::AllowGC)1> (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2084 #13 0x0000000000b3afc0 in js::NativeGetProperty (cx=cx@entry=0x7ffff695f000, obj=..., receiver=..., receiver@entry=..., id=..., id@entry=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2118 #14 0x000000000054b2a4 in js::GetProperty (cx=0x7ffff695f000, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1510 #15 0x000000000053126d in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:848 #16 js::GetProperty (cx=0x7ffff695f000, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4273 #17 0x0000000000534b8f in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:192 #18 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2636 #19 0x0000000000542035 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403 #20 0x000000000054264a in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #21 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502 #22 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521 #23 0x0000000000a959d2 in js::Call (rval=..., arg1=..., arg0=..., thisObj=<optimized out>, fval=..., cx=0x7ffff695f000) at js/src/vm/Interpreter.h:135 #24 js::Debugger::fireExceptionUnwind (this=this@entry=0x7ffff693e800, cx=0x7ffff695f000, vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1780 #25 0x0000000000a96106 in js::Debugger::<lambda(js::Debugger*)>::operator() (dbg=0x7ffff693e800, __closure=<synthetic pointer>) at js/src/vm/Debugger.cpp:1026 #26 js::Debugger::dispatchHook<js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)>, js::Debugger::slowPathOnExceptionUnwind(JSContext*, js::AbstractFramePtr)::<lambda(js::Debugger*)> > (fireHook=..., cx=0x7ffff695f000, hookIsEnabled=...) at js/src/vm/Debugger.cpp:1893 #27 js::Debugger::slowPathOnExceptionUnwind (cx=0x7ffff695f000, frame=...) at js/src/vm/Debugger.cpp:1027 #28 0x0000000000533e77 in js::Debugger::onExceptionUnwind (frame=..., frame@entry=..., cx=<optimized out>) at js/src/vm/Debugger-inl.h:66 #29 HandleError (regs=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:1242 #30 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:4160 #31 0x0000000000542035 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403 #32 0x0000000000544810 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffb8e8) at js/src/vm/Interpreter.cpp:684 #33 0x000000000057ce22 in EvalKernel (cx=0x7ffff695f000, v=..., evalType=evalType@entry=INDIRECT_EVAL, caller=..., env=..., pc=pc@entry=0x0, vp=...) at js/src/builtin/Eval.cpp:328 #34 0x000000000057d4fa in js::IndirectEval (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Eval.cpp:421 #35 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0x57d420 <js::IndirectEval(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #36 0x0000000000542311 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457 #37 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502 #38 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:521 #39 0x0000000000a21228 in js::Wrapper::call (this=this@entry=0x2059fc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, proxy=..., proxy@entry=..., args=...) at js/src/proxy/Wrapper.cpp:165 #40 0x0000000000a0ea55 in js::CrossCompartmentWrapper::call (this=0x2059fc0 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff695f000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:333 #41 0x0000000000a17803 in js::Proxy::call (cx=0x7ffff695f000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:421 #42 0x0000000000a1b345 in js::proxy_Call (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:662 #43 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xa1b2d0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 #44 0x0000000000542607 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:445 #45 0x00000000005344ee in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508 #46 Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2919 #47 0x0000000000542035 in js::RunScript (cx=cx@entry=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403 #48 0x000000000054264a in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #49 0x0000000000542726 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:502 #50 0x000000000054289e in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:521 #51 0x0000000000d51c67 in js::wasm::Instance::callImport (this=0x7ffff03e2700, cx=cx@entry=0x7ffff695f000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc610, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:177 #52 0x0000000000d5258e in js::wasm::Instance::callImport_i32 (instance=<optimized out>, funcImportIndex=0, argc=0, argv=0x7fffffffc610) at js/src/wasm/WasmInstance.cpp:268 #53 0x00007ffff7ff421f in ?? () #54 0x00007fffffffc680 in ?? () #55 0x0000000000be9e71 in JS::Rooted<js::SavedFrame*>::rootLists (this=0x7fffffffc748, cx=0x7fffffffc700) at dist/include/js/RootingAPI.h:774 #56 JS::Rooted<js::SavedFrame*>::Rooted<JSContext*, JS::PersistentRooted<js::SavedFrame*>&> (initial=..., cx=<synthetic pointer>, this=0x7fffffffc748) at dist/include/js/RootingAPI.h:791 #57 js::Activation::Activation (this=0x7fffffffc700, cx=0x7fffffffc700, kind=(unknown: 4030605136)) at js/src/vm/Stack-inl.h:923 #58 0x0000000000d3caad in WasmCall (cx=0x7fffffffcb50, cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1060 #59 0x000000000054c751 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xd3ca00 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239 [...] #72 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7947 rax 0x2062520 33957152 rbx 0x7fffffff9158 140737488327000 rcx 0x127e050 19390544 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff9070 140737488326768 rsp 0x7fffffff9060 140737488326752 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff693e800 140737330276352 r13 0x7ffff693e800 140737330276352 r14 0x1 1 r15 0x7ffff695f000 140737330409472 rip 0xd33cff <js::wasm::FrameIterator::instance() const+111> => 0xd33cff <js::wasm::FrameIterator::instance() const+111>: movl $0x0,0x0 0xd33d0a <js::wasm::FrameIterator::instance() const+122>: ud2

First wasm fuzz bug calling into JS \o/ Probably a regression from the debugger landing, cc'ing yury.

Added check to make sure we can access wasm instance at wasm::FrameIterator. The wasm instance property is only available for baseline compiled code atm. In the future we are planning the move TlsData to all frame, so the property above will be always available.

Comment on attachment 8826189 [details] Bug 1330339 - Ensure wasm debug is enabled when observesFrame is queried. https://reviewboard.mozilla.org/r/104194/#review105078 Makes sense, thanks! ::: js/src/vm/Stack.h:1814 (Diff revision 1) > bool hasScript() const { return !isWasm(); } > > // ----------------------------------------------------------- > // The following functions can only be called when isWasm() > // ----------------------------------------------------------- > + inline bool wasmDebugEnabled() const; uber-nit: can haz \n between comment and declaration?

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6d67b80ede88 Ensure wasm debug is enabled when observesFrame is queried. r=luke