Closed
Bug 1455608
Opened 6 years ago
Closed 6 years ago
Assertion failure: !TlsContext.get()->suppressGC, at js/src/gc/RootMarking.cpp:317 with wasm and Debugger
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
2.52 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cc0d7de218cb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc): var lfModule = new WebAssembly.Module(wasmTextToBinary(` (module (import "global" "func" (result i32)) (func (export "func_0") (result i32) call 0 ;; calls the import, which is func #0 ) ) `)); processModule(lfModule, ` var dbg = new Debugger; dbg.memory.takeCensus() `); function processModule(module, jscode) { imports = {} for (let descriptor of WebAssembly.Module.imports(module)) { imports[descriptor.module] = {} imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode); instance = new WebAssembly.Instance(module, imports); for (let descriptor of WebAssembly.Module.exports(module)) { print(instance.exports[descriptor.name]()) } } } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000f2e108 in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff5f19700, trc=trc@entry=0x7fffffffb128, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, session=...) at js/src/gc/RootMarking.cpp:317 #0 0x0000000000f2e108 in js::gc::GCRuntime::traceRuntimeCommon (this=this@entry=0x7ffff5f19700, trc=trc@entry=0x7fffffffb128, traceOrMark=traceOrMark@entry=js::gc::GCRuntime::TraceRuntime, session=...) at js/src/gc/RootMarking.cpp:317 #1 0x0000000000f2e4d1 in js::gc::GCRuntime::traceRuntime (this=0x7ffff5f19700, trc=0x7fffffffb128, session=...) at js/src/gc/RootMarking.cpp:300 #2 0x0000000000f2e5e8 in js::TraceRuntime (trc=trc@entry=0x7fffffffb128) at js/src/gc/RootMarking.cpp:290 #3 0x0000000000d1b6a9 in JS::ubi::RootList::init (this=this@entry=0x7fffffffb700, debuggees=...) at js/src/vm/UbiNode.cpp:441 #4 0x0000000000d1c29c in JS::ubi::RootList::init (this=this@entry=0x7fffffffb700, debuggees=..., debuggees@entry=...) at js/src/vm/UbiNode.cpp:482 #5 0x0000000000ae17a2 in js::DebuggerMemory::takeCensus (cx=0x7ffff5f15000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/DebuggerMemory.cpp:408 #6 0x00000000005b2e4e in js::CallJSNative (cx=0x7ffff5f15000, native=0xae1220 <js::DebuggerMemory::takeCensus(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280 #7 0x00000000005a77af in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #8 0x00000000005a7b8d in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516 #9 0x0000000000599fc1 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522 #10 Interpret (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:3084 #11 0x00000000005a726d in js::RunScript (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:417 #12 0x00000000005a7877 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #13 0x00000000005a7b8d in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516 #14 0x00000000005a7d10 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #15 0x0000000000dde0ad in js::wasm::Instance::callImport (this=this@entry=0x7ffff49fb5f0, cx=<optimized out>, cx@entry=0x7ffff5f15000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc500, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156 #16 0x0000000000ddeba4 in js::wasm::Instance::callImport_i32 (instance=0x7ffff49fb5f0, funcImportIndex=0, argc=0, argv=0x7fffffffc500) at js/src/wasm/WasmInstance.cpp:252 #17 0x00000cde967a50fc in ?? () [...] #23 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff5f19700 140737319638784 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffafa0 140737488334752 rsp 0x7fffffffaeb0 140737488334512 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff5f15000 140737319620608 r13 0x7fffffffb128 140737488335144 r14 0x7ffff5f19780 140737319638912 r15 0x0 0 rip 0xf2e108 <js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime, js::gc::AutoTraceSession&)+1304> => 0xf2e108 <js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime, js::gc::AutoTraceSession&)+1304>: movl $0x0,0x0 0xf2e113 <js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime, js::gc::AutoTraceSession&)+1315>: ud2 Seems very similar to the last bug I filed with wasm and Debugger. Might be a dup, but not sure.
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•6 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•6 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Assignee | ||
Comment 2•6 years ago
|
||
We should allow js::TraceRuntime to work if GC is suppressed and only assert when we're actually doing a collection.
Assignee: nobody → jcoppeard
Attachment #8970118 -
Flags: review?(sphink)
Assignee | ||
Updated•6 years ago
|
Priority: -- → P3
Updated•6 years ago
|
Attachment #8970118 -
Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d736cc8113cf Allow js::TraceRuntime to operate if GC is suppressed r=sfink
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/628622df5bf4 Back out test code since to fix bustage r=me on a CLOSED TREE
Comment 5•6 years ago
|
||
This was merged to m-c. I suspect Bugherder got confused by the follow-up push and that's why it wasn't marked at the time. https://hg.mozilla.org/mozilla-central/rev/d736cc8113cf
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in
before you can comment on or make changes to this bug.
Description
•