Closed
Bug 1507944
Opened 6 years ago
Closed 6 years ago
Crash in js::wasm::Instance::callExport
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | --- | fixed |
People
(Reporter: marcia, Assigned: luke)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
1.77 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-b9c2e0ce-1ebc-4dad-a286-522f40181116. ============================================================= Seen while looking at nightly crash stats: https://bit.ly/2zcSSc9. Crashes started using Build 20181113100051. Possible regression range based on build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f97d54f24e0299ed1a87383ba61519c30a8c243a&tochange=24e87b02707bee36e1e98eb37c94fbaf3834e898 Bug 1505271? ni on :luke Top 10 frames of crashing thread: 0 @0x2036fc83bcb1 1 XUL js::wasm::Instance::callExport js/src/wasm/WasmInstance.cpp:1163 2 XUL XUL@0x50a863f 3 XUL js::ElementSpecific<unsigned char, js::UnsharedOps>::setFromTypedArray clang/include/c++/v1/algorithm:1760 4 XUL js/src/vm/TypedArrayObject.cpp:924 5 XUL js::DeadObjectProxy::family 6 XUL WasmCall js/src/wasm/WasmJS.cpp:1423 7 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:468 8 XUL js::GetProperty js/src/vm/ObjectOperations-inl.h:122 9 XUL XUL@0x589057f =============================================================
|
Reporter | |
Updated•6 years ago
|
Flags: needinfo?(luke)
|
Assignee | |
Comment 1•6 years ago
|
||
Looking at the aggregations, it's all OSX and the bad-instruction fault, which is intentionally used by wasm for traps. Thinking a bit more about this, I think I see the bug only for asm.js. I had thought asm.js didn't even need signal handlers, because bug 1495149, but asm.js does use them for the slow-script interrupt check. So the bug is that we call EstablishPreconditions(), which calls wasm::HasCompilerSupport(cx), which calls wasm::EnsureFullSignalHandlers(cx), but all this happens on some random parser thread with a parser-local JSContext. So the main thread never gets full signal handlers before it runs this asm.js code using ud2. Should be an easy fix after I can repro.
Assignee: nobody → luke
Flags: needinfo?(luke)
|
|
Assignee | |
Comment 2•6 years ago
|
||
The test in this patch repros the crash and verifies the fix. That doesn't confirm this is actually the crash we're seeing, but it seems to match well with the low rate of crashes: this only happens if the slow-script dialog kicks in which is mostly not going to happen.
Attachment #9026229 -
Flags: review?(bbouvier)
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9026229 [details] [diff] [review] fix-asmjs-signals Review of attachment 9026229 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #9026229 -
Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/31a42178a876 Baldr: ensure signal handlers in asm.js instantiation (r=bbouvier)
|
|
Assignee | |
Comment 5•6 years ago
|
||
Poking at a few crash URLs also show asm.js-only crashes, so this feels likely to be the fix and please feel free to reopen or open a new bug if the crash persists after this patch reaches nightly. (The issue being fixed is also Nightly-only.)
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/31a42178a876
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Updated•6 years ago
|
status-firefox-esr60:
--- → wontfix
|
||
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•