Closed Bug 1590973 Opened 3 years ago Closed 3 years ago

Crash in [@ js::wasm::Instance::callExport]

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: pascalc, Assigned: wingo)

References

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-cf6beaf5-a977-4551-8855-3aea70191024.

Top 10 frames of crashing thread:

0  @0x187ae7000 
1 XUL js::wasm::Instance::callExport js/src/wasm/WasmInstance.cpp:1831
2 XUL XUL@0x4d6f12f 
3 libmozglue.dylib RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::Remove memory/build/rb.h:435
4 XUL XUL@0x56d991f 
5 libmozglue.dylib arena_t::AllocRun memory/build/mozjemalloc.cpp:2406
6 XUL js::jit::MUse* js::jit::TempAllocator::allocateArray<js::jit::MUse> js/src/jit/JitAllocPolicy.h:57
7 XUL WasmCall js/src/wasm/WasmJS.cpp:1468
8 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:550
9 XUL XUL@0x56e51bf 

Crashes in yesterday's nightly.

Hitting this reliably on a private Figma document.

Flags: needinfo?(lhansen)

Are you able to build from source? Does reverting https://hg.mozilla.org/mozilla-central/rev/a9d2b57a99be fix the issue?

Alternately: does applying https://hg.mozilla.org/integration/autoland/rev/90ef5c4f6349447e72cfd2fc50ad103969a66464 fix the issue for you?

Flags: needinfo?(robin)

Sorry, nothing set up on this machine. I could probably get mozregression set up if you can give me a range / command.

Ditto. That stack sure looks weird, so let's assume the allocator symbols are spurious, for now.

Priority: -- → P1
See Also: → 1590961
Crash Signature: [@ js::wasm::Instance::callExport] → [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ]
Crash Signature: [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] → [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] [@ XUL@0x28348f | js::wasm::Instance::callExport ]

The crash signatures have a bunch of Figma URLs. Loading one of those URLs repros the crash locally. It might be a sensitive URL, though, so I'll email it.

Does not crash in the very latest nightly. Crashed in the one before that. I think we're good.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(lhansen)
Resolution: --- → FIXED

I checked too with a fresh build and we seem fine; yay. Thanks for the report.

Flags: needinfo?(robin)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Duplicate of this bug: 1591465
Crash Signature: [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] [@ XUL@0x28348f | js::wasm::Instance::callExport ] → [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] [@ XUL@0x28348f | js::wasm::Instance::callExport ] [@ _fini]

Two more variants, on Windows.

Crash Signature: [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] [@ XUL@0x28348f | js::wasm::Instance::callExport ] [@ _fini] → [@ js::wasm::Instance::callExport] [@ @0x0 | js::wasm::Instance::callExport ] [@ XUL@0x28348f | js::wasm::Instance::callExport ] [@ _fini] [@ js::frontend::EmitterScope::searchInEnclosingScope ] [@ js::jit::ICTypeMonitor_Fallback::addMonitorStubForValu…

Hi Andy, is qa needed here? And if yes, could you please provide some steps? Thanks!

Flags: needinfo?(wingo)

Hi Catalin :) IMO I think we can probably skip QA on this one as both me and Lars verified it was fixed with a fresh browser build after a fix landed. There is a private Figma URL that Luke communicated to me that showed the problem but I don't have it handy at the moment, I can communicate it to you if needed.

Flags: needinfo?(wingo)
You need to log in before you can comment on or make changes to this bug.