Crash in [@ js::wasm::Instance::callExport]
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | unaffected |
firefox71 | --- | unaffected |
firefox72 | --- | fixed |
People
(Reporter: pascalc, Assigned: wingo)
References
Details
(Keywords: crash, regression)
Crash Data
This bug is for crash report bp-cf6beaf5-a977-4551-8855-3aea70191024.
Top 10 frames of crashing thread:
0 @0x187ae7000
1 XUL js::wasm::Instance::callExport js/src/wasm/WasmInstance.cpp:1831
2 XUL XUL@0x4d6f12f
3 libmozglue.dylib RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::Remove memory/build/rb.h:435
4 XUL XUL@0x56d991f
5 libmozglue.dylib arena_t::AllocRun memory/build/mozjemalloc.cpp:2406
6 XUL js::jit::MUse* js::jit::TempAllocator::allocateArray<js::jit::MUse> js/src/jit/JitAllocPolicy.h:57
7 XUL WasmCall js/src/wasm/WasmJS.cpp:1468
8 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:550
9 XUL XUL@0x56e51bf
Crashes in yesterday's nightly.
Comment 1•5 years ago
|
||
Hitting this reliably on a private Figma document.
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
Are you able to build from source? Does reverting https://hg.mozilla.org/mozilla-central/rev/a9d2b57a99be fix the issue?
Alternately: does applying https://hg.mozilla.org/integration/autoland/rev/90ef5c4f6349447e72cfd2fc50ad103969a66464 fix the issue for you?
Assignee | ||
Updated•5 years ago
|
Comment 3•5 years ago
|
||
Sorry, nothing set up on this machine. I could probably get mozregression set up if you can give me a range / command.
Assignee | ||
Comment 4•5 years ago
|
||
OK, let's revisit after https://hg.mozilla.org/integration/autoland/rev/90ef5c4f6349447e72cfd2fc50ad103969a66464 is shipped in a new nightly.
Comment 5•5 years ago
|
||
Ditto. That stack sure looks weird, so let's assume the allocator symbols are spurious, for now.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
![]() |
||
Comment 6•5 years ago
|
||
The crash signatures have a bunch of Figma URLs. Loading one of those URLs repros the crash locally. It might be a sensitive URL, though, so I'll email it.
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Does not crash in the very latest nightly. Crashed in the one before that. I think we're good.
Assignee | ||
Comment 8•5 years ago
|
||
I checked too with a fresh build and we seem fine; yay. Thanks for the report.
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Updated•5 years ago
|
Comment 11•5 years ago
|
||
Two more variants, on Windows.
Comment 12•5 years ago
|
||
Hi Andy, is qa needed here? And if yes, could you please provide some steps? Thanks!
Assignee | ||
Comment 13•5 years ago
|
||
Hi Catalin :) IMO I think we can probably skip QA on this one as both me and Lars verified it was fixed with a fresh browser build after a fix landed. There is a private Figma URL that Luke communicated to me that showed the problem but I don't have it handy at the moment, I can communicate it to you if needed.
Description
•