Closed
Bug 1376841
Opened 7 years ago
Closed 7 years ago
[wasm] Crash [@ js_free]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
6.84 KB,
text/plain
|
Details | |
429 bytes,
patch
|
lth
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cc903e3f6189 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): oomTest(function () { new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (global (mut i64) (i64.const 0) ) (func) (global (mut f64) (f64.const 0) ) (func (result f64) get_global 1 ) (global (mut i64) (i64.const 0) ) (func i64.const 0 i64.const 0 i32.const 0 select call 1 set_global 1 set_global 2 ) (func (result i64) (param f64) (param i64) (param i32) get_local 2 i64.const 0 i64.const 0 i32.const 0 select drop i64.extend_s/i32 ) (func (result f32) (param i32) (param i64) (param f32) f64.const 0 f64.const 0 i32.const 0 select get_local 1 get_local 2 i32.const 0 i32.const 0 i32.const 0 select drop drop drop f32.demote/f64 f64.const 0 f64.const 0 i32.const 0 select set_global 1 i32.const 0 i32.const 0 i32.const 0 select i64.const 0 get_global 2 drop drop drop ) ) `))); }) Backtrace: #0 js_free (p=<error reading variable: Cannot access memory at address 0x20>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:257 #1 js::wasm::GlobalSegment::~GlobalSegment (this=0x7fd144616250, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:878 #2 js_delete<js::wasm::GlobalSegment> (p=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:383 #3 JS::DeletePolicy<js::wasm::GlobalSegment>::operator() (this=<optimized out>, ptr=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:485 #4 mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >::reset (aPtr=0x0, this=0x7fff2d04dfe0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/mozilla/UniquePtr.h:343 /snip For detailed crash information, see attachment. js_free is on the stack, setting s-s as a start.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ba901f83a5fd user: Luke Wagner date: Fri Jun 23 18:03:19 2017 -0500 summary: Bug 1374218 - Baldr: ensure alignment of TlsData (r=lth) Luke, is bug 1374218 a likely regressor?
Flags: needinfo?(luke)
Summary: Crash [@ js_free] → Crash [@ js_free] involving wasm
Reporter | ||
Updated•7 years ago
|
Summary: Crash [@ js_free] involving wasm → [wasm] Crash [@ js_free]
Assignee | ||
Comment 3•7 years ago
|
||
D'oh, this code was implicitly relying before on js_free(nullptr) being a nop.
Assignee | ||
Comment 4•7 years ago
|
||
Crash at reliably-small offset from null, so I don't think this is s-s.
Comment 5•7 years ago
|
||
Comment on attachment 8882045 [details] [diff] [review] fix-oom Review of attachment 8882045 [details] [diff] [review]: ----------------------------------------------------------------- D'oh indeed.
Attachment #8882045 -
Flags: review?(lhansen) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d762b3e46153 Baldr: handle null field on OOM (r=lth)
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/d762b3e46153
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•