Closed
Bug 1406447
Opened 7 years ago
Closed 7 years ago
Assertion failure: false (BinarySearchIf(codeSegments_, 0, codeSegments_.length(), CodeSegmentPC(code.segment(t).base()), &index)), at js/src/wasm/WasmCompartment.cpp:132 with OOM
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1406041
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
The following testcase crashes on mozilla-central revision 19b32a138d08 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):
oomTest(function() {
eval(`
Function(\`
g = (function(t,foreign){
"use asm";
function f() {}
return f
})(this, {}, new ArrayBuffer(4096))
\`)()
`);
});
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0899774a in js::wasm::Compartment::unregisterInstance (this=0xf7921b0c, instance=...) at js/src/wasm/WasmCompartment.cpp:131
#0 0x0899774a in js::wasm::Compartment::unregisterInstance (this=0xf7921b0c, instance=...) at js/src/wasm/WasmCompartment.cpp:131
#1 0x089dc152 in js::wasm::Instance::~Instance (this=0xf53cfa90, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:459
#2 0x08a2c2e4 in js::FreeOp::delete_<js::wasm::Instance> (this=0xffffc6b0, p=0xf53cfa90) at js/src/vm/Runtime.h:183
#3 js::WasmInstanceObject::finalize (fop=0xffffc6b0, obj=0xf558b1f0) at js/src/wasm/WasmJS.cpp:992
#4 0x0864b1db in js::Class::doFinalize (this=<optimized out>, obj=0xf558b1f0, fop=0xffffc6b0) at dist/include/js/Class.h:890
#5 JSObject::finalize (this=0xf558b1f0, fop=0xffffc6b0) at js/src/jsobjinlines.h:107
#6 0x0864b5e0 in js::gc::Arena::finalize<JSObject> (this=0xf558b000, fop=0xffffc6b0, thingKind=js::gc::AllocKind::OBJECT8, thingSize=80) at js/src/jsgc.cpp:544
#7 0x0860e7b0 in FinalizeTypedArenas<JSObject> (fop=0xffffc6b0, src=0xf7921284, dest=..., thingKind=js::gc::AllocKind::OBJECT8, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/jsgc.cpp:602
#8 0x0860eb15 in FinalizeArenas (keepArenas=js::gc::ArenaLists::KEEP_ARENAS, budget=..., thingKind=js::gc::AllocKind::OBJECT8, dest=..., src=0xf7921284, fop=0xffffc6b0) at js/src/jsgc.cpp:636
#9 js::gc::ArenaLists::foregroundFinalize (this=0xf7921084, fop=0xffffc6b0, thingKind=js::gc::AllocKind::OBJECT8, sliceBudget=..., sweepList=...) at js/src/jsgc.cpp:5689
#10 0x0860efe5 in js::gc::GCRuntime::finalizeAllocKind (gc=0xf7952440, fop=0xffffc6b0, budget=..., zone=0xf7921000, kind=js::gc::AllocKind::OBJECT8) at js/src/jsgc.cpp:6009
#11 0x0863a05f in sweepaction::SweepActionFunc<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*, js::gc::AllocKind>::run (args#4=<optimized out>, args#3=0xf7921000, args#2=..., args#1=0xffffc6b0, args#0=0xf7952440, this=0xf790b0e0) at js/src/jsgc.cpp:6119
#12 sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind> >, mozilla::EnumSet<js::gc::AllocKind>, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run (this=0xf7907400, args#0=0xf7952440, args#1=0xffffc6b0, args#2=..., args#3=0xf7921000) at js/src/jsgc.cpp:6178
#13 0x0864d179 in sweepaction::SweepActionForEach<js::gc::GCSweepGroupIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0xf790ac80, args#0=0xf7952440, args#1=0xffffc6b0, args#2=...) at js/src/jsgc.cpp:6178
#14 0x0864c7c5 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0xf7909430, args#0=0xf7952440, args#1=0xffffc6b0, args#2=...) at js/src/jsgc.cpp:6147
#15 0x086299ab in js::gc::GCRuntime::performSweepActions (this=0xf7952440, budget=..., lock=...) at js/src/jsgc.cpp:6307
#16 0x0862c782 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf7952440, budget=..., reason=JS::gcreason::DESTROY_RUNTIME, lock=...) at js/src/jsgc.cpp:6904
#17 0x0862dbd5 in js::gc::GCRuntime::gcCycle (this=0xf7952440, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7169
#18 0x0862e1bd in js::gc::GCRuntime::collect (this=0xf7952440, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7312
#19 0x0862e4c4 in js::gc::GCRuntime::gc (this=0xf7952440, gckind=GC_NORMAL, reason=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:7379
#20 0x0882a9ef in JSRuntime::destroyRuntime (this=0xf7952000) at js/src/vm/Runtime.cpp:320
#21 0x085c2837 in js::DestroyContext (cx=0xf791d000) at js/src/jscntxt.cpp:249
#22 0x080804d4 in main (argc=3, argv=0xffffce24, envp=0xffffce34) at js/src/shell/js.cpp:8682
eax 0x0 0
ebx 0xf7921b0c -141419764
ecx 0xf7da4864 -136689564
edx 0x0 0
esi 0xffffc298 -15720
edi 0xf52c0ab0 -181663056
ebp 0xffffc2c8 4294951624
esp 0xffffc270 4294951536
eip 0x899774a <js::wasm::Compartment::unregisterInstance(js::wasm::Instance&)+1258>
=> 0x899774a <js::wasm::Compartment::unregisterInstance(js::wasm::Instance&)+1258>: movl $0x0,0x0
0x8997754 <js::wasm::Compartment::unregisterInstance(js::wasm::Instance&)+1268>: ud2
|
||
Comment 1•7 years ago
|
||
Probably related to bug 1406041, I'll take a look at it next week. (This is probably going to be trigger-happy)
Flags: needinfo?(bbouvier)
|
||
Updated•7 years ago
|
Priority: -- → P2
|
|
||
Comment 2•7 years ago
|
||
Bug 1406041 makes this assertion holds even in case of OOMs and passes the test case.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•