1891658 - Assertion failure: js::gc::IsCellPointerValid(&obj), at dist/include/js/Value.h:633

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P3)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

var x = new WebAssembly.Instance(
  new WebAssembly.Module(
    wasmTextToBinary('(module (func (export "f")(result i32) i32.const 1))')
  )
);
oomAtAllocation(1);
wasmLosslessInvoke(x.exports.f);

(gdb) bt
#0  JS::Value::setObject (this=<optimized out>, obj=...) at /home/genxps15/shell-cache/js-dbg-64-linux-x86_64-fcfbb607fde2/objdir-js/dist/include/js/Value.h:633
#1  0x000055555876ac62 in JS::ObjectValue (obj=...) at /home/genxps15/shell-cache/js-dbg-64-linux-x86_64-fcfbb607fde2/objdir-js/dist/include/js/Value.h:1223
#2  ToJSValue_lossless<js::wasm::NoDebug> (cx=cx@entry=0x7ffff6739100, src=src@entry=0x7fffffffc908, dst=dst@entry=..., type=...)
    at /home/genxps15/trees/mozilla-central/js/src/wasm/WasmValue.cpp:778
#3  0x000055555876a873 in js::wasm::ToJSValue<js::wasm::NoDebug> (cx=0x7ffff6739100, src=0x7fffffffc908, type=..., dst=..., level=<optimized out>)
    at /home/genxps15/trees/mozilla-central/js/src/wasm/WasmValue.cpp:787
#4  0x000055555876d561 in js::wasm::ToJSValue<js::wasm::DebugCodegenVal> (cx=0x7ffff7bd3700 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6739100, src=0x0,
    src@entry=0x7fffffffc908, type=..., dst=..., dst@entry=..., level=js::wasm::CoercionLevel::Spec, level@entry=js::wasm::CoercionLevel::Lossless)
    at /home/genxps15/trees/mozilla-central/js/src/wasm/WasmValue.cpp:842
#5  0x000055555866ce28 in js::wasm::ResultsToJSValue (cx=cx@entry=0x7ffff6739100, type=..., registerResultLoc=registerResultLoc@entry=0x7fffffffc908,
    stackResultsLoc=..., rval=..., level=level@entry=js::wasm::CoercionLevel::Lossless) at /home/genxps15/trees/mozilla-central/js/src/wasm/WasmInstance.cpp:2996
#6  0x000055555866e17e in ReturnToJSResultCollector::collect (this=0x7fffffffc570, cx=0x7ffff6739100, registerResultLoc=0x7fffffffc908, rval=...,
    level=js::wasm::CoercionLevel::Lossless) at /home/genxps15/trees/mozilla-central/js/src/wasm/WasmInstance.cpp:3098
/snip

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev fcfbb607fde2.

Setting s-s as a start, especially since this seems to be a GC-related assert.

Jon, please feel free to bounce this over to the wasm folks if it is not GC-related.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The testcase does not reproduce with the latest debug js shell from FTP (2015-10-21) but reproduces with m-c rev a5887514ddfb (Feb 2022).

Comment 2

[Jon Coppeard (:jonco)]

I'll let wasm folks look at this first as it doesn't seem especially GC related.

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Jon Coppeard (:jonco) from comment #2)

I'll let wasm folks look at this first as it doesn't seem especially GC related.

Thanks - I'll set a needinfo? from Yury as a start.

Comment 4

[Yury Delendik (:yury)]

It is a failure to check for OOM at https://searchfox.org/mozilla-central/source/js/src/wasm/WasmValue.cpp#778 -- the execution will fail with null pointer access The ToJSValue_lossless (via wasmLosslessInvoke) is only available in the jsshell.

Comment 5

[Yury Delendik (:yury)]

Attachment: Bug 1891658 - Test OOM during wasmLosslessInvoke. r?bvisness

Comment 6

[Pulsebot]

Pushed by ydelendik@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/56eef0e217eb
Test OOM during wasmLosslessInvoke. r=bvisness

Comment 7

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/56eef0e217eb