Open Bug 1900724 Opened 1 year ago Updated 3 months ago

Crash in [@ js::WasmArrayObject::isDataInline], possibly from general GC memory corruption

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
Other
Windows 11
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox128 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c5014d47-a733-480a-bc9e-4d8660240603

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::WasmArrayObject::isDataInline  js/src/wasm/WasmGcObject.h:298
0  xul.dll  js::WasmArrayObject::isDataInline const  js/src/wasm/WasmGcObject.h:300
0  xul.dll  js::WasmArrayObject::allocKind const  js/src/wasm/WasmGcObject-inl.h:171
0  xul.dll  JSObject::allocKindForTenure const  js/src/vm/JSObject.cpp:3230
1  xul.dll  JSObject::isBackgroundFinalized const  js/src/vm/JSObject.cpp:3178
1  xul.dll  js::DeadProxyTargetValue  js/src/proxy/DeadObjectProxy.cpp:140
2  xul.dll  js::NewDeadProxyObject  js/src/proxy/DeadObjectProxy.cpp:149
3  xul.dll  JS::Compartment::getNonWrapperObjectForCurrentCompartment  js/src/vm/Compartment.cpp:230
3  xul.dll  JS::Compartment::wrap  js/src/vm/Compartment.cpp:372
4  xul.dll  JS::Compartment::wrap  js/src/vm/Compartment.cpp:431

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-05-30
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 2 out of 3 crashes happened on null or near null memory address
Component: General → JavaScript: WebAssembly

The severity field is not set for this bug.
:rhunt, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(rhunt)

The case for wasm array object is the fallthrough case in allocKindForTenure [1], and has a debug assert that the object actually matches this assumption. I wonder if we would be tripping that assertion if it was a release assert. This logic changed in bug 1881019 pretty recently (late February) and these crashes started in April, which might line up with that getting released?

Jan, do you think my assessment above is possible?

Flags: needinfo?(rhunt) → needinfo?(jdemooij)
See Also: → 1881019
Severity: -- → S3
Priority: -- → P3

(In reply to Ryan Hunt [:rhunt] from comment #2)

The case for wasm array object is the fallthrough case in allocKindForTenure [1], and has a debug assert that the object actually matches this assumption. I wonder if we would be tripping that assertion if it was a release assert. This logic changed in bug 1881019 pretty recently (late February) and these crashes started in April, which might line up with that getting released?

Jan, do you think my assessment above is possible?

I agree. Before my change, the fallback case was NativeObject::allocKindForTenure and now it's WasmArrayObject::allocKind. This is most likely caused by memory corruption of the object or (base)shape. Changing this assertion to a release-assertion would make us crash more reliably in this case but it wouldn't stop the crashes.

Flags: needinfo?(jdemooij)
Summary: Crash in [@ js::WasmArrayObject::isDataInline] → Crash in [@ js::WasmArrayObject::isDataInline], possibly from general GC memory corruption
You need to log in before you can comment on or make changes to this bug.