Closed Bug 1458217 Opened Last year Closed Last year

Assertion failure: !rt->mainContextFromOwnThread()->suppressGC, at js/src/gc/GC.cpp:7235 or Crash [@ JS::Value::toObject] or AddressSanitizer: use-after-poison [@ js::gc::Cell::runtimeFromAnyThread] with wasm GC

Categories

(Core :: JavaScript Engine, defect, P5, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d2a4720d1c33 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc --ion-offthread-compile=off):

var lfModule = new WebAssembly.Module(wasmTextToBinary(`
    (module
        (import "global" "func" (result i32))
        (func (export "func_0") (result i32)
         call 0
        )
    )
`));
processModule(lfModule, `
  verifyprebarriers()
`);
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        imports[descriptor.module][descriptor.name] = new Function(jscode);
        instance = new WebAssembly.Instance(module, imports);
        for (let descriptor of WebAssembly.Module.exports(module))
            instance.exports[descriptor.name]()
    }
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000ecbc70 in js::gc::IsIncrementalGCUnsafe (rt=0x7ffff5f19000) at js/src/gc/GC.cpp:7235
#0  0x0000000000ecbc70 in js::gc::IsIncrementalGCUnsafe (rt=0x7ffff5f19000) at js/src/gc/GC.cpp:7235
#1  0x0000000000f67f04 in js::gc::GCRuntime::startVerifyPreBarriers (this=0x7ffff5f19700) at js/src/gc/Verifier.cpp:182
#2  0x0000000000f68769 in js::gc::GCRuntime::verifyPreBarriers (this=<optimized out>) at js/src/gc/Verifier.cpp:405
#3  js::gc::VerifyBarriers (rt=<optimized out>, type=type@entry=js::gc::PreBarrierVerifier) at js/src/gc/Verifier.cpp:412
#4  0x00000000008abebb in VerifyPreBarriers (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1010
#5  0x00000000005b429e in js::CallJSNative (cx=0x7ffff5f17000, native=0x8abe70 <VerifyPreBarriers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
[...]
#13 0x00000000005a9100 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#14 0x0000000000e05638 in js::wasm::Instance::callImport (this=this@entry=0x7ffff495c740, cx=<optimized out>, cx@entry=0x7ffff5f17000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc4a0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156
#15 0x0000000000e06154 in js::wasm::Instance::callImport_i32 (instance=0x7ffff495c740, funcImportIndex=0, argc=0, argv=0x7fffffffc4a0) at js/src/wasm/WasmInstance.cpp:252
#16 0x000026c0d545a0fc in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff5f19000	140737319636992
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffb650	140737488336464
rsp	0x7fffffffb640	140737488336448
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7ffff5f17000	140737319628800
r13	0x8abe70	9092720
r14	0x7fffffffb800	140737488336896
r15	0x7ffff4887210	140737295970832
rip	0xecbc70 <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+112>
=> 0xecbc70 <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+112>:	movl   $0x0,0x0
   0xecbc7b <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+123>:	ud2


Only affects --wasm-gc so not s-s.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
I think you can just add an early return in GCRuntime::startVerifyPreBarriers() if GC is suppressed to fix this.
Priority: -- → P5
Implements what you suggested, thanks!

Also introduces a new helper function that returns true if we should abort because of wasm code potentially running on the stack. With this patch, there were 2 different places where this could happen, and with bug 1455603 there'll be a third one.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8972579 - Flags: review?(jcoppeard)
Depends on: 1456824
Comment on attachment 8972579 [details] [diff] [review]
verifyprebarriers.patch

Review of attachment 8972579 [details] [diff] [review]:
-----------------------------------------------------------------

Nice, thank for fixing.
Attachment #8972579 - Flags: review?(jcoppeard) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ddba51846e2f
Abort early in verifyprebarriers if wasm gc is enabled; r=jonco
https://hg.mozilla.org/mozilla-central/rev/ddba51846e2f
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.