Closed
Bug 1449589
Opened 6 years ago
Closed 6 years ago
Assertion failure: false (!frames->empty()), at js/src/vm/SavedStacks.cpp:143 with streaming wasm compilation
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1445973
| Tracking | Status | |
|---|---|---|
| firefox61 | --- | affected |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
The following testcase crashes on mozilla-central revision b906009d875d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):
loadFile(`
function testBoth(source, exportName, expectedValue) {
WebAssembly.compileStreaming(code).then(m => { module = m });
drainJobQueue();
}
var code = wasmTextToBinary('(module (func (export "run") (result i32) i32.const 42))');
testBoth(code, 'run', 42);
`);
function loadFile(lfVarx) {
try {
oomTest(function() {
eval(lfVarx);
});
} catch (lfVare) {}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0880239f in js::LiveSavedFrameCache::find (this=0xffffaed0, cx=0xf6e1d800, framePtr=..., pc=0xf57a3103 <incomplete sequence \347>, frame=...) at js/src/vm/SavedStacks.cpp:143
#0 0x0880239f in js::LiveSavedFrameCache::find (this=0xffffaed0, cx=0xf6e1d800, framePtr=..., pc=0xf57a3103 <incomplete sequence \347>, frame=...) at js/src/vm/SavedStacks.cpp:143
#1 0x08809343 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0xf6e22890, cx=0xf6e1d800, frame=..., capture=...) at js/src/vm/SavedStacks.cpp:1406
#2 0x0880a331 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0xf6e22890, cx=0xf6e1d800, frame=..., capture=...) at js/src/vm/SavedStacks.cpp:1242
#3 0x085c575f in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0xf6e1d800, stackp=..., capture=...) at js/src/jsapi.cpp:7755
#4 0x082395e2 in PromiseDebugInfo::setResolutionInfo (cx=0xf6e1d800, promise=...) at js/src/builtin/Promise.cpp:274
#5 0x08220bc1 in js::PromiseObject::onSettled (cx=0xf6e1d800, promise=...) at js/src/builtin/Promise.cpp:3474
#6 0x08220d61 in ResolvePromise (cx=0xf6e1d800, promise=..., valueOrReason=..., state=JS::PromiseState::Fulfilled) at js/src/builtin/Promise.cpp:804
#7 0x082216ec in FulfillMaybeWrappedPromise (cx=0xf6e1d800, promiseObj=..., value_=...) at js/src/builtin/Promise.cpp:837
#8 0x08222202 in ResolvePromiseInternal (cx=0xf6e1d800, promise=..., resolutionVal=...) at js/src/builtin/Promise.cpp:563
#9 0x08222a12 in RunResolutionFunction (cx=0xf6e1d800, resolutionFun=..., result=..., mode=ResolveMode, promiseObj=...) at js/src/builtin/Promise.cpp:1924
#10 0x08227427 in PromiseReactionJob (cx=0xf6e1d800, argc=0, vp=0xffffa980) at js/src/builtin/Promise.cpp:1250
#11 0x081af0e9 in js::CallJSNative (cx=0xf6e1d800, native=0x8226be0 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
#12 0x081a42ad in js::InternalCallOrConstruct (cx=0xf6e1d800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#13 0x081a4670 in InternalCall (cx=cx@entry=0xf6e1d800, args=...) at js/src/vm/Interpreter.cpp:516
#14 0x081a482a in js::Call (cx=0xf6e1d800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#15 0x085eb57a in JS::Call (cx=0xf6e1d800, thisv=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:3011
#16 0x0871c5a1 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0xf6e1d800) at js/src/jsapi.h:3102
#17 js::RunJobs (cx=0xf6e1d800) at js/src/vm/JSContext.cpp:1224
#18 0x0808ee88 in DrainJobQueue (cx=0xf6e1d800, argc=0, vp=0xf561d178) at js/src/shell/js.cpp:963
#19 0x081af0e9 in js::CallJSNative (cx=0xf6e1d800, native=0x808ee30 <DrainJobQueue(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
[...]
#42 0x0846ea22 in OOMTest (cx=0xf6e1d800, argc=1, vp=0xf561d0b0) at js/src/builtin/TestingFunctions.cpp:1692
[...]
#57 0x08082bc8 in main (argc=3, argv=0xffffce04, envp=0xffffce14) at js/src/shell/js.cpp:9420
eax 0x0 0
ebx 0xffffaed0 -20784
ecx 0xf7d9f864 -136710044
edx 0x0 0
esi 0xffff9a44 -26044
edi 0xf6e1d800 -152971264
ebp 0xffff9a68 4294941288
esp 0xffff9a30 4294941232
eip 0x880239f <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+767>
=> 0x880239f <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+767>: movl $0x0,0x0
0x88023a9 <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+777>: ud2
|
||
Comment 1•6 years ago
|
||
This might be a duplicate of bug 1445973.
|
||
Comment 2•6 years ago
|
||
That is my expectation as well.
|
Reporter | |
Comment 3•6 years ago
|
||
Yep. This slipped through because the assertion changed in the meanwhile.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•