Closed
Bug 1459633
Opened 7 years ago
Closed 7 years ago
Assertion failure: isTenured(), at js/src/gc/Cell.h:193
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla62
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | disabled |
| firefox62 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(1 file)
|
2.92 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fb435df9797a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc):
var lfModule = new WebAssembly.Module(wasmTextToBinary(`
(module
(import "global" "func" (result i32))
(func (export "func_0") (result i32)
call 0 ;; calls the import, which is func #0
)
)
`));
grayRoot().x = Object.create(null);
processModule(lfModule, `
addMarkObservers([grayRoot(), grayRoot().x, this, Object.create(null)]);
let marks = getMarks();
`);
function processModule(module, jscode) {
imports = {}
for (let descriptor of WebAssembly.Module.imports(module)) {
imports[descriptor.module] = {}
imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
instance = new WebAssembly.Instance(module, imports);
for (let descriptor of WebAssembly.Module.exports(module))
instance.exports[descriptor.name]();
}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000000000453008 in js::gc::Cell::asTenured (this=<optimized out>) at js/src/gc/Cell.h:193
#0 0x0000000000453008 in js::gc::Cell::asTenured (this=<optimized out>) at js/src/gc/Cell.h:193
#1 GetMarks (cx=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:6353
#2 0x00000000005b4f01 in js::CallJSNative (cx=0x7ffff5f17000, native=0x452c70 <GetMarks(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#3 0x00000000005a94bf in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#4 0x00000000005a989d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516
#5 0x000000000059bc83 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522
#6 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3086
#7 0x00000000005a8f7d in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:417
#8 0x00000000005a9587 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#9 0x00000000005a989d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516
#10 0x00000000005a9a20 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#11 0x0000000000e080e8 in js::wasm::Instance::callImport (this=this@entry=0x7ffff495c6d0, cx=<optimized out>, cx@entry=0x7ffff5f17000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc4d0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156
#12 0x0000000000e08be4 in js::wasm::Instance::callImport_i32 (instance=0x7ffff495c6d0, funcImportIndex=0, argc=0, argv=0x7fffffffc4d0) at js/src/wasm/WasmInstance.cpp:252
#13 0x000007e02cb0a0fc in ?? ()
[...]
#19 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff5f17000 140737319628800
rcx 0x7ffff6c282ad 140737333330605
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7fffffffb810 140737488336912
rsp 0x7fffffffb770 140737488336752
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff7fe4780 140737354024832
r10 0x58 88
r11 0x7ffff6b9e7a0 140737332766624
r12 0x7fffffffb7c0 140737488336832
r13 0x7ffff5f07400 140737319564288
r14 0x1 1
r15 0x1 1
rip 0x453008 <GetMarks(JSContext*, unsigned int, JS::Value*)+920>
=> 0x453008 <GetMarks(JSContext*, unsigned int, JS::Value*)+920>: movl $0x0,0x0
0x453013 <GetMarks(JSContext*, unsigned int, JS::Value*)+931>: ud2
Likely debug-only and also requires --wasm-gc.
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Updated•7 years ago
|
status-firefox60:
--- → unaffected
status-firefox62:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
Assignee | |
Comment 3•7 years ago
|
||
As discussed on irc: inhibits the API if we're running with wasm gc, and adds an assertion in minorGc. Try-running this, because of the new assertion.
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8975491 [details] [diff] [review]
addmarkobservers.patch
Review of attachment 8975491 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for doing this. r+ assuming the tests pass with the new assertion.
Attachment #8975491 -
Flags: review?(jcoppeard) → review+
|
|
Assignee | |
Comment 5•7 years ago
|
||
Thanks for the quick review. All green: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e5c87e5ed7ec85f05ab6b0bd1daad936b2f9250e
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bd1542eb559c
Block addMarkObservers if wasm gc is enabled; r=jonco
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•