Bug 1894586 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-05-01 21:23:39 PDT

```
function f() {
  wasmDumpIon(
    wasmTextToBinary(
      "(type $x (struct))(global $g (ref null $x) ref.null $x)(func $h)"
    )
  );
  oomTest(f);
}
f();
```

```
[178560] Assertion failure: js::gc::IsCellPointerValid(str), at /home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/objdir-js/dist/include/js/Value.h:615
#01: JS::Value::setString(JSString*)[/home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/js-dbg-64-linux-x86_64-0c09216614e4 +0x1c2e787]
#02: ???[/home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/js-dbg-64-linux-x86_64-0c09216614e4 +0x2320d25]
#03: ??? (???:???)
Segmentation fault
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 0c09216614e4.

Bisection seems to point to some time in March 2024, but it's still running.

Setting s-s as a start, although if this is like bug 1891658, it may be benign, but I'll let Yury confirm.

Revision 1 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-05-02 00:01:48 PDT

```
function f() {
  wasmDumpIon(
    wasmTextToBinary(
      "(type $x (struct))(global $g (ref null $x) ref.null $x)(func $h)"
    )
  );
  oomTest(f);
}
f();
```

```
(gdb) bt
#0  JS::Value::setString (this=0x7fffffffc318, str=0x0) at /home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/objdir-js/dist/include/js/Value.h:615
#1  0x0000555557874d25 in JS::StringValue (str=0x55555576b596) at /home/ubumain/shell-cache/js-dbg-64-linux-x86_64-0c09216614e4/objdir-js/dist/include/js/Value.h:1187
#2  WasmDumpIon (cx=0x7ffff7639100, argc=<optimized out>, vp=<optimized out>) at /home/ubumain/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:2124
#3  0x0000166a9739d533 in ?? ()
#4  0x0000000000000000 in ?? ()
(gdb)
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 0c09216614e4.

Bisection seems to point to some time in March 2024, but it's still running.

Setting s-s as a start, although if this is like bug 1891658, it may be benign, but I'll let Yury confirm.

Back to Bug 1894586 Comment 0