1302407 - Assertion failure: jit::JitOptions.wasmTestMode, at js/src/vm/SharedArrayObject.cpp:83

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

setJitCompilerOption('wasm.test-mode', 1);
new SharedArrayBuffer(65536);
setJitCompilerOption('wasm.test-mode', 0);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000b3f768 in SharedArrayMappedSize (allocSize=<optimized out>) at js/src/vm/SharedArrayObject.cpp:83
#0  0x0000000000b3f768 in SharedArrayMappedSize (allocSize=<optimized out>) at js/src/vm/SharedArrayObject.cpp:83
#1  js::SharedArrayRawBuffer::dropReference (this=0x7fff701effe8) at js/src/vm/SharedArrayObject.cpp:195
#2  0x0000000000b6a9b1 in js::SharedArrayBufferObject::Finalize (fop=<optimized out>, obj=0x7ffff0679160) at js/src/vm/SharedArrayObject.cpp:315
#3  0x000000000094a433 in js::Class::doFinalize (this=<optimized out>, obj=0x7ffff0679160, fop=0x7fffffffd020) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Class.h:816
#4  JSObject::finalize (this=this@entry=0x7ffff0679160, fop=fop@entry=0x7fffffffd020) at js/src/jsobjinlines.h:87
#5  0x000000000094a7be in js::gc::Arena::finalize<JSObject> (this=this@entry=0x7ffff0679000, fop=fop@entry=0x7fffffffd020, thingKind=thingKind@entry=js::gc::AllocKind::OBJECT2_BACKGROUND, thingSize=thingSize@entry=48) at js/src/jsgc.cpp:453
#6  0x000000000092336d in FinalizeTypedArenas<JSObject> (fop=0x7fffffffd020, src=0x7fffffffbf18, dest=..., thingKind=js::gc::AllocKind::OBJECT2_BACKGROUND, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/jsgc.cpp:511
#7  0x0000000000925471 in js::gc::ArenaLists::backgroundFinalize (fop=fop@entry=0x7fffffffd020, listHead=0x0, empty=empty@entry=0x7fffffffcfd8) at js/src/jsgc.cpp:2796
#8  0x000000000092580f in js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0x7ffff695f958, zones=..., freeBlocks=...) at js/src/jsgc.cpp:3196
#9  0x000000000092636a in js::gc::GCRuntime::sweepBackgroundThings (freeBlocks=..., zones=..., this=0x7ffff695f958) at js/src/gc/Heap.h:683
#10 js::gc::GCRuntime::endSweepingZoneGroup (this=this@entry=0x7ffff695f958) at js/src/jsgc.cpp:5142
#11 0x00000000009269e8 in js::gc::GCRuntime::sweepPhase (this=this@entry=0x7ffff695f958, sliceBudget=..., lock=...) at js/src/jsgc.cpp:5355
#12 0x000000000092e6ac in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695f958, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME, lock=...) at js/src/jsgc.cpp:5903
#13 0x000000000092fa9f in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695f958, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6143
#14 0x000000000093014b in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695f958, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6271
#15 0x000000000093046b in js::gc::GCRuntime::gc (this=this@entry=0x7ffff695f958, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6339
#16 0x0000000000b12659 in JSRuntime::destroyRuntime (this=this@entry=0x7ffff695f208) at js/src/vm/Runtime.cpp:406
#17 0x00000000008c4ec3 in JSContext::~JSContext (this=0x7ffff695f000, __in_chrg=<optimized out>) at js/src/jscntxt.cpp:935
#18 0x00000000008cc8f2 in js_delete_poison<JSContext> (p=0x7ffff695f000) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Utility.h:393
#19 js::DestroyContext (cx=0x7ffff695f000) at js/src/jscntxt.cpp:136
#20 0x000000000043bf40 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7689
rax	0x0	0
rbx	0x7fff701effe8	140735074467816
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffbcf0	140737488338160
rsp	0x7fffffffbc80	140737488338048
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x58	88
r11	0x7ffff6b9f750	140737332770640
r12	0x1000	4096
r13	0x7fff701ef000	140735074463744
r14	0x10000	65536
r15	0x7fffffffbdd0	140737488338384
rip	0xb3f768 <js::SharedArrayRawBuffer::dropReference()+456>
=> 0xb3f768 <js::SharedArrayRawBuffer::dropReference()+456>:	movl   $0x0,0x0
   0xb3f773 <js::SharedArrayRawBuffer::dropReference()+467>:	ud2

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Fun.

Comment 2

[Luke Wagner [:luke]]

Oh, I think this is just a leftover, and now spurious, assert from before preparedFromAsmJS was added to precisely track this per-instance.

Comment 3

[Luke Wagner [:luke]]

Attachment: rm-assert

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8790704 [details] [diff] [review]
rm-assert

Review of attachment 8790704 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the patch.

::: js/src/jit-test/tests/asm.js/testBug1302407.js
@@ +1,2 @@
> +setJitCompilerOption('wasm.test-mode', 1);
> +new SharedArrayBuffer(65536);

Maybe guard against the existence of SharedArrayBuffer?

Comment 5

[Pulsebot]

Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/61fa499a0622
Remove now-unnecessary assert in SharedArrayMappedSize() (r=bbouvier)

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/61fa499a0622