1462335 - Assertion failure: !rt->mainContextFromOwnThread()->suppressGC, at js/src/gc/GC.cpp:7817 with Debugger

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 8fb36531f7d0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc):

var lfModule = new WebAssembly.Module(wasmTextToBinary(`
    (module
        (import "global" "func" (result i32))
        (func (export "func_0") (result i32)
         call 0 ;; calls the import, which is func #0
        )
    )
`));
let g = newGlobal();
processModule(lfModule, `
    let dbg = new Debugger(g);
    dbg.memory.takeCensus({ breakdown: { by: 'objectClass' } });
`);
function processModule(module, jscode) {
    imports = {}
    for (let descriptor of WebAssembly.Module.imports(module)) {
        imports[descriptor.module] = {}
        imports[descriptor.module][descriptor.name] = new Function("x", "y", "z", jscode);
        instance = new WebAssembly.Instance(module, imports);
        for (let descriptor of WebAssembly.Module.exports(module))
            instance.exports[descriptor.name]()
    }
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000f01076 in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff5f19700, reason=reason@entry=JS::gcreason::EVICT_NURSERY, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY) at js/src/gc/GC.cpp:7816
#0  0x0000000000f01076 in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff5f19700, reason=reason@entry=JS::gcreason::EVICT_NURSERY, phase=phase@entry=js::gcstats::PhaseKind::EVICT_NURSERY) at js/src/gc/GC.cpp:7816
#1  0x0000000000f59ed9 in js::gc::GCRuntime::evictNursery (reason=JS::gcreason::EVICT_NURSERY, this=0x7ffff5f19700) at js/src/gc/GCRuntime.h:989
#2  js::TraceRuntime (trc=trc@entry=0x7fffffffb018) at js/src/gc/RootMarking.cpp:290
#3  0x0000000000cdf96a in JS::ubi::RootList::init (this=this@entry=0x7fffffffb710, debuggees=...) at js/src/vm/UbiNode.cpp:441
#4  0x0000000000ce0770 in JS::ubi::RootList::init (this=this@entry=0x7fffffffb710, debuggees=..., debuggees@entry=...) at js/src/vm/UbiNode.cpp:482
#5  0x0000000000b3e1e0 in js::DebuggerMemory::takeCensus (cx=0x7ffff5f17000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/DebuggerMemory.cpp:408
#6  0x00000000005b4b1e in js::CallJSNative (cx=0x7ffff5f17000, native=0xb3d930 <js::DebuggerMemory::takeCensus(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#7  0x00000000005a9a3f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#8  0x00000000005a9e1d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516
#9  0x000000000059d517 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522
#10 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3086
#11 0x00000000005a94fd in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:417
#12 0x00000000005a9b07 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#13 0x00000000005a9e1d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516
#14 0x00000000005a9fa0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#15 0x0000000000e1eb68 in js::wasm::Instance::callImport (this=this@entry=0x7ffff495c6d0, cx=<optimized out>, cx@entry=0x7ffff5f17000, funcImportIndex=funcImportIndex@entry=0, argc=argc@entry=0, argv=argv@entry=0x7fffffffc4d0, rval=..., rval@entry=...) at js/src/wasm/WasmInstance.cpp:156
#16 0x0000000000e1f664 in js::wasm::Instance::callImport_i32 (instance=0x7ffff495c6d0, funcImportIndex=0, argc=0, argv=0x7fffffffc4d0) at js/src/wasm/WasmInstance.cpp:252
#17 0x0000153563a1b0fc in ?? ()
[...]
#23 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7ffff5f19700	140737319638784
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffaee0	140737488334560
rsp	0x7fffffffae20	140737488334368
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7fffffffb018	140737488334872
r13	0xb	11
r14	0x41	65
r15	0x7fffffffb060	140737488334944
rip	0xf01076 <js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind)+630>
=> 0xf01076 <js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind)+630>:	movl   $0x0,0x0
   0xf01081 <js::gc::GCRuntime::minorGC(JS::gcreason::Reason, js::gcstats::PhaseKind)+641>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Nicolas B. Pierron [:nbp]]

Likely to be a duplicate of Bug 1462333.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Not a dup. This one calls Debugger.memory.takeCensus, which tries to the nursery when making a RootList.

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: fix.patch

Comment 5

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f0cc065d8a76
Prevents calling into Debugger.memory.takeCensus when wasm gc is enabled; r=jonco

Comment 6

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/f0cc065d8a76