Closed
Bug 1301191
Opened 8 years ago
Closed 8 years ago
Assertion failure: !mutatingInstances_, at js/src/asmjs/WasmCompartment.cpp:129
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
|
10.82 KB,
text/plain
|
Details | |
|
1.79 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 33e7ae9b3104 (build with --enable-debug --enable-more-deterministic --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
// jsfunfuzz-generated
timeout(1);
// Adapted from randomly chosen test: js/src/jit-test/tests/asm.js/testBug975182.js
(function() {
g = (function(t, foreign) {
"use asm";
var ff = foreign.ff;
function f() {
ff()
}
return f
})(this, {
ff: arguments.callee
})
})()
function m(f) {
for (var j = 0; j < 9999; ++j) {
f();
}
}
m(g);
Backtrace:
#0 0x0000000000637013 in js::wasm::Compartment::lookupInstanceDeprecated (this=0x7fa0e0e6e3f0, pc=0x65fad1 <mozilla::Move<js::wasm::Instance*&>(js::wasm::Instance*&)+4>) at js/src/asmjs/WasmCompartment.cpp:129
#1 0x0000000000921b05 in RedirectJitCodeToInterruptCheck (rt=0x7fa0e0e44208, context=0x7ffd9aa6cec0) at js/src/asmjs/WasmSignalHandlers.cpp:1244
#2 0x0000000000921bb7 in JitInterruptHandler (signum=26, info=0x7ffd9aa6cff0, context=0x7ffd9aa6cec0) at js/src/asmjs/WasmSignalHandlers.cpp:1268
#3 <signal handler called>
#4 0x000000000065fad1 in mozilla::Move<js::wasm::Instance*&> (aX=@0x7fa0e0e6e3f0: 0x7fa0dfb4c000) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/objdir-js/dist/include/mozilla/Move.h:201
#5 0x0000000000656a8d in mozilla::Vector<js::wasm::Instance*, 0ul, js::SystemAllocPolicy>::insert<js::wasm::Instance*>(js::wasm::Instance**, js::wasm::Instance*&&) (this=0x7fa0e0e6e3f0, aP=0x7fa0dfb4c000, aVal=<unknown type in /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104, CU 0xaa213f, DIE 0xc0917a>) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/objdir-js/dist/include/mozilla/Vector.h:1239
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/bc217e3f030d user: Luke Wagner date: Mon Aug 01 08:28:20 2016 -0500 summary: Bug 1288483 - Baldr: allow multiple Instances per WasmActivation (r=bbouvier) Luke, is bug 1288483 a likely regressor? This is happening fairly often thus setting [fuzzblocker], but also fairly intermittently probably due to the presence of the timeout function.
|
|
Assignee | |
Comment 3•8 years ago
|
||
Wow, excellent find for the fuzzers. Benjamin, it turns out you were right in bug 1288483 comment 12; in my response, I forgot that profiling isn't the only signal handler.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8789232 -
Flags: review?(bbouvier)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8789232 [details] [diff] [review] fix-lookup-instance Review of attachment 8789232 [details] [diff] [review]: ----------------------------------------------------------------- Thank you for the patch!
Attachment #8789232 -
Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6ccab4363f4 Baldr: handle interrupt signal while mutating instance vector (r=bbouvier)
|
||
Comment 6•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c6ccab4363f4
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•