Closed Bug 1721997 Opened 4 years ago Closed 4 years ago

Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at mozilla/RefPtr.h:315 or Crash [@ js::wasm::CompileIntrinsicModule]

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox91 --- wontfix
firefox92 --- wontfix
firefox93 --- verified

People

(Reporter: decoder, Assigned: rhunt)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
2.15 KB, text/plain
Details
Testcase
82 bytes, text/plain
Details
Bug 1721997 - wasm: Check CompileArgs::build() and correctly report OOM's. r?yury
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20210722-1979267c2a7f (--enable-debug build, run with --fuzzing-safe --ion-offthread-compile=off --wasm-compiler=optimized --more-compartments test.js):

a = newGlobal()
function b(c) {
    a.Debugger(c)
}
b({})
wasmIntrinsicI8VecMul()

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x58b73aff in js::wasm::CompileIntrinsicModule(JSContext*, js::wasm::IntrinsicOp, JS::MutableHandle<js::WasmModuleObject*>) ()
#1  0x58051573 in WasmIntrinsicI8VecMul(JSContext*, unsigned int, JS::Value*) ()
#2  0x57b283c9 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&amp;) ()
[...]
#13 0x579abff0 in Shell(JSContext*, js::cli::OptionParser*) ()
#14 0x579a3372 in main ()
eax	0x566adc1d	1449843741
ebx	0x58ff458c	1493124492
ecx	0x58ff5f34	1493131060
edx	0xf7bffcc7	-138412857
esi	0xffdf1180	-2158208
edi	0x1	1
ebp	0xffdf2098	4292812952
esp	0xffdf1100	4292808960
eip	0x58b73aff <js::wasm::CompileIntrinsicModule(JSContext*, js::wasm::IntrinsicOp, JS::MutableHandle<js::WasmModuleObject*>)+4175>
=> 0x58b73aff <_ZN2js4wasm22CompileIntrinsicModuleEP9JSContextNS0_11IntrinsicOpEN2JS13MutableHandleIPNS_16WasmModuleObjectEEE+4175>:	movl   $0x13b,0x0
   0x58b73b09 <_ZN2js4wasm22CompileIntrinsicModuleEP9JSContextNS0_11IntrinsicOpEN2JS13MutableHandleIPNS_16WasmModuleObjectEEE+4185>:	call   0x57a2b49a <abort>

Likely a shell-only issue with new builtins.

Severity: -- → S2
Attached file Testcase

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210727152622-edce65311704.
Failed to bisect testcase (Unable to launch the start build!):

Start: eba7e3ce93822075543bcc764cef7dbc8e9fc5f1 (20200728094725)
End: 1979267c2a7f69a743d039060eb9d0acf1633736 (20210722031648)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Assignee: nobody → rhunt
Status: NEW → ASSIGNED
Priority: -- → P2
Pushed by rhunt@eqrion.net: https://hg.mozilla.org/integration/autoland/rev/06bf8c7102d2 wasm: Check CompileArgs::build() and correctly report OOM's. r=yury

https://hg.mozilla.org/mozilla-central/rev/06bf8c7102d2

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox93: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210810032407-06bf8c7102d2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox93: fixedverified
Keywords: bugmon

:rhunt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(rhunt)

The testcase failed to be bisected.

Flags: needinfo?(rhunt)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: