Closed
Bug 1456517
Opened 6 years ago
Closed 5 years ago
Assertion failure: (zone->isAtomsZone() || zone->runtimeFromMainThread()->gc.nursery().isEmpty()), at js/src/gc/GC-inl.h:211 with wasm GC and Debugger
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | fixed |
People
(Reporter: decoder, Unassigned)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
The following testcase crashes on mozilla-central revision 26e53729a109 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc):
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
var g = newGlobal();
processModule(lfModule, `
g.evaluate("function f() {}");
var dbg1 = new Debugger;
var gDO1 = dbg1.addDebuggee(g);
var fDO1 = gDO1.getOwnPropertyDescriptor('f').value;
dbg1.findScripts({ source: fDO1.script.source });
`);
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
instance = new WebAssembly.Instance(module, imports);
for (let descriptor of WebAssembly.Module.exports(module)) {
instance.exports[descriptor.name]()
}
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000b8b380 in js::gc::ZoneCellIter<js::gc::TenuredCell>::init (kind=<optimized out>, zone=<optimized out>, this=<optimized out>) at js/src/gc/GC-inl.h:209
#0 0x0000000000b8b380 in js::gc::ZoneCellIter<js::gc::TenuredCell>::init (kind=<optimized out>, zone=<optimized out>, this=<optimized out>) at js/src/gc/GC-inl.h:209
#1 js::gc::ZoneCellIter<js::gc::TenuredCell>::ZoneCellIter (kind=<optimized out>, zone=<optimized out>, this=<optimized out>) at js/src/gc/GC-inl.h:243
#2 js::gc::ZoneCellIter<JSObject>::ZoneCellIter (kind=<optimized out>, zone=<optimized out>, this=<optimized out>) at js/src/gc/GC-inl.h:334
#3 JS::Zone::cellIter<JSObject, js::gc::AllocKind&> (this=<optimized out>) at js/src/gc/Zone.h:172
#4 AddLazyFunctionsForCompartment (kind=<optimized out>, lazyFunctions=..., cx=<optimized out>) at js/src/vm/JSCompartment.cpp:1089
#5 CreateLazyScriptsForCompartment (cx=cx@entry=0x7ffff5f15000) at js/src/vm/JSCompartment.cpp:1123
#6 0x0000000000b8b778 in JSCompartment::ensureDelazifyScriptsForDebugger (this=0x7ffff5f4e800, cx=0x7ffff5f15000) at js/src/vm/JSCompartment.cpp:1154
#7 0x0000000000b2a41a in js::Debugger::ScriptQuery::delazifyScripts (this=0x7fffffffb610) at js/src/vm/Debugger.cpp:4586
#8 js::Debugger::ScriptQuery::findScripts (this=this@entry=0x7fffffffb610) at js/src/vm/Debugger.cpp:4406
#9 0x0000000000b11b56 in js::Debugger::findScripts (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/Debugger.cpp:4718
#10 0x00000000005b35be in js::CallJSNative (cx=0x7ffff5f15000, native=0xb11620 <js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#11 0x00000000005a7f1f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#12 0x00000000005a82fd in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516
#13 0x000000000059a731 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522
#14 Interpret (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:3084
#15 0x00000000005a79dd in js::RunScript (cx=0x7ffff5f15000, state=...) at js/src/vm/Interpreter.cpp:417
#16 0x00000000005a7fe7 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#17 0x00000000005a82fd in InternalCall (cx=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516
#18 0x00000000005a8480 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#19 0x0000000000ddfb6d in js::wasm::Instance::callImport (this=this@entry=0x7ffff49fb5f0, cx=<optimized out>, cx@entry=0x7ffff5f15000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc4f0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156
#20 0x0000000000de0664 in js::wasm::Instance::callImport_i32 (instance=0x7ffff49fb5f0, funcImportIndex=0, argc=0, argv=0x7fffffffc4f0) at js/src/wasm/WasmInstance.cpp:252
#21 0x000029b16c99a0fc in ?? ()
[...]
#27 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff5f15000 140737319620608
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffb480 140737488336000
rsp 0x7fffffffb2f0 140737488335600
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7fffffffb350 140737488335696
r13 0x7fffffffb3c0 140737488335808
r14 0x7ffff4948000 140737296760832
r15 0x7ffff5f19000 140737319636992
rip 0xb8b380 <CreateLazyScriptsForCompartment(JSContext*)+2224>
=> 0xb8b380 <CreateLazyScriptsForCompartment(JSContext*)+2224>: movl $0x0,0x0
0xb8b38b <CreateLazyScriptsForCompartment(JSContext*)+2235>: ud2
|
||
Comment 1•6 years ago
|
||
Here, kind is FUNCTION (we call from AddLazyFunctionsForCompartment higher up in the stack). ZoneCellIter(JS::Zone* zone, AllocKind kind) tries to call zone->runtimeFromMainThread()->gc.evictNursery(), which doesn't empty the nursery because of --wasm-gc. The assertion says that if the kind is nursery allocatable, then the nursery should be empty, which is not the case, because we prevented gc just before.
Blocks: 1444925
|
||
Comment 2•6 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Updated•6 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Updated•6 years ago
|
Priority: -- → P2
|
||
Updated•6 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Component: JavaScript Engine → Javascript: Web Assembly
autobisectjs shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1781bcae61d0 user: Benjamin Bouvier date: Wed May 02 16:10:41 2018 +0200 summary: Bug 1455603: Disable the Debugger.findScripts API when wasm GC is active; r=jonco :bbouvier, is bug 1455603 a likely fix?
Flags: needinfo?(bbouvier)
|
|
||
Comment 4•5 years ago
|
||
If the gc-disablement was indeed the problem then the problem should be gone because that code has been removed recently, as we no longer needed it. Not sure what resolution is appropriate here - FIXED?
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(bbouvier)
Resolution: --- → FIXED
|
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•