Closed
Bug 1458217
Opened 7 years ago
Closed 7 years ago
Assertion failure: !rt->mainContextFromOwnThread()->suppressGC, at js/src/gc/GC.cpp:7235 or Crash [@ JS::Value::toObject] or AddressSanitizer: use-after-poison [@ js::gc::Cell::runtimeFromAnyThread] with wasm GC
Categories
(Core :: JavaScript Engine, defect, P5)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
|
4.51 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d2a4720d1c33 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc --ion-offthread-compile=off):
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0
)
)
`));
processModule(lfModule, `
verifyprebarriers()
`);
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function(jscode);
instance = new WebAssembly.Instance(module, imports);
for (let descriptor of WebAssembly.Module.exports(module))
instance.exports[descriptor.name]()
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000ecbc70 in js::gc::IsIncrementalGCUnsafe (rt=0x7ffff5f19000) at js/src/gc/GC.cpp:7235
#0 0x0000000000ecbc70 in js::gc::IsIncrementalGCUnsafe (rt=0x7ffff5f19000) at js/src/gc/GC.cpp:7235
#1 0x0000000000f67f04 in js::gc::GCRuntime::startVerifyPreBarriers (this=0x7ffff5f19700) at js/src/gc/Verifier.cpp:182
#2 0x0000000000f68769 in js::gc::GCRuntime::verifyPreBarriers (this=<optimized out>) at js/src/gc/Verifier.cpp:405
#3 js::gc::VerifyBarriers (rt=<optimized out>, type=type@entry=js::gc::PreBarrierVerifier) at js/src/gc/Verifier.cpp:412
#4 0x00000000008abebb in VerifyPreBarriers (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1010
#5 0x00000000005b429e in js::CallJSNative (cx=0x7ffff5f17000, native=0x8abe70 <VerifyPreBarriers(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
[...]
#13 0x00000000005a9100 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#14 0x0000000000e05638 in js::wasm::Instance::callImport (this=this@entry=0x7ffff495c740, cx=<optimized out>, cx@entry=0x7ffff5f17000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc4a0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156
#15 0x0000000000e06154 in js::wasm::Instance::callImport_i32 (instance=0x7ffff495c740, funcImportIndex=0, argc=0, argv=0x7fffffffc4a0) at js/src/wasm/WasmInstance.cpp:252
#16 0x000026c0d545a0fc in ?? ()
[...]
#22 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff5f19000 140737319636992
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffb650 140737488336464
rsp 0x7fffffffb640 140737488336448
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7ffff5f17000 140737319628800
r13 0x8abe70 9092720
r14 0x7fffffffb800 140737488336896
r15 0x7ffff4887210 140737295970832
rip 0xecbc70 <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+112>
=> 0xecbc70 <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+112>: movl $0x0,0x0
0xecbc7b <js::gc::IsIncrementalGCUnsafe(JSRuntime*)+123>: ud2
Only affects --wasm-gc so not s-s.
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Comment 2•7 years ago
|
||
I think you can just add an early return in GCRuntime::startVerifyPreBarriers() if GC is suppressed to fix this.
Priority: -- → P5
|
||
Updated•7 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
Assignee | |
Comment 3•7 years ago
|
||
Implements what you suggested, thanks!
Also introduces a new helper function that returns true if we should abort because of wasm code potentially running on the stack. With this patch, there were 2 different places where this could happen, and with bug 1455603 there'll be a third one.
|
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8972579 [details] [diff] [review]
verifyprebarriers.patch
Review of attachment 8972579 [details] [diff] [review]:
-----------------------------------------------------------------
Nice, thank for fixing.
Attachment #8972579 -
Flags: review?(jcoppeard) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ddba51846e2f
Abort early in verifyprebarriers if wasm gc is enabled; r=jonco
|
||
Comment 6•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•