Assertion failure: !mutatingInstances_, at js/src/asmjs/WasmCompartment.cpp:129

RESOLVED FIXED in Firefox 51

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla51
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 fixed)

Details

(Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 33e7ae9b3104 (build with --enable-debug --enable-more-deterministic --disable-optimize, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// jsfunfuzz-generated
timeout(1);
// Adapted from randomly chosen test: js/src/jit-test/tests/asm.js/testBug975182.js
(function() {
    g = (function(t, foreign) {
        "use asm";
        var ff = foreign.ff;
        function f() {
            ff()
        }
        return f
    })(this, {
        ff: arguments.callee
    })
})()
function m(f) {
    for (var j = 0; j < 9999; ++j) {
        f();
    }
}
m(g);


Backtrace:

#0  0x0000000000637013 in js::wasm::Compartment::lookupInstanceDeprecated (this=0x7fa0e0e6e3f0, pc=0x65fad1 <mozilla::Move<js::wasm::Instance*&>(js::wasm::Instance*&)+4>) at js/src/asmjs/WasmCompartment.cpp:129
#1  0x0000000000921b05 in RedirectJitCodeToInterruptCheck (rt=0x7fa0e0e44208, context=0x7ffd9aa6cec0) at js/src/asmjs/WasmSignalHandlers.cpp:1244
#2  0x0000000000921bb7 in JitInterruptHandler (signum=26, info=0x7ffd9aa6cff0, context=0x7ffd9aa6cec0) at js/src/asmjs/WasmSignalHandlers.cpp:1268
#3  <signal handler called>
#4  0x000000000065fad1 in mozilla::Move<js::wasm::Instance*&> (aX=@0x7fa0e0e6e3f0: 0x7fa0dfb4c000) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/objdir-js/dist/include/mozilla/Move.h:201
#5  0x0000000000656a8d in mozilla::Vector<js::wasm::Instance*, 0ul, js::SystemAllocPolicy>::insert<js::wasm::Instance*>(js::wasm::Instance**, js::wasm::Instance*&&) (this=0x7fa0e0e6e3f0, aP=0x7fa0dfb4c000, aVal=<unknown type in /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104, CU 0xaa213f, DIE 0xc0917a>) at /home/ubuntu/shell-cache/js-dbg-optDisabled-64-dm-linux-33e7ae9b3104/objdir-js/dist/include/mozilla/Vector.h:1239
/snip

For detailed crash information, see attachment.
(Reporter)

Comment 1

2 years ago
Created attachment 8789050 [details]
Detailed Crash Information
(Reporter)

Comment 2

2 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/bc217e3f030d
user:        Luke Wagner
date:        Mon Aug 01 08:28:20 2016 -0500
summary:     Bug 1288483 - Baldr: allow multiple Instances per WasmActivation (r=bbouvier)

Luke, is bug 1288483 a likely regressor? This is happening fairly often thus setting [fuzzblocker], but also fairly intermittently probably due to the presence of the timeout function.
Blocks: 1288483
Flags: needinfo?(luke)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:update]
(Assignee)

Comment 3

2 years ago
Created attachment 8789232 [details] [diff] [review]
fix-lookup-instance

Wow, excellent find for the fuzzers.

Benjamin, it turns out you were right in bug 1288483 comment 12; in my response, I forgot that profiling isn't the only signal handler.
Assignee: nobody → luke
Status: NEW → ASSIGNED
Flags: needinfo?(luke)
Attachment #8789232 - Flags: review?(bbouvier)
Comment on attachment 8789232 [details] [diff] [review]
fix-lookup-instance

Review of attachment 8789232 [details] [diff] [review]:
-----------------------------------------------------------------

Thank you for the patch!
Attachment #8789232 - Flags: review?(bbouvier) → review+

Comment 5

2 years ago
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6ccab4363f4
Baldr: handle interrupt signal while mutating instance vector (r=bbouvier)

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c6ccab4363f4
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.