Closed
Bug 1376841
Opened 7 years ago
Closed 7 years ago
[wasm] Crash [@ js_free]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
lth
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision cc903e3f6189 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
oomTest(function () {
new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
(module
(global
(mut i64)
(i64.const 0)
)
(func)
(global
(mut f64)
(f64.const 0)
)
(func
(result f64)
get_global 1
)
(global
(mut i64)
(i64.const 0)
)
(func
i64.const 0
i64.const 0
i32.const 0
select
call 1
set_global 1
set_global 2
)
(func
(result i64)
(param f64)
(param i64)
(param i32)
get_local 2
i64.const 0
i64.const 0
i32.const 0
select
drop
i64.extend_s/i32
)
(func
(result f32)
(param i32)
(param i64)
(param f32)
f64.const 0
f64.const 0
i32.const 0
select
get_local 1
get_local 2
i32.const 0
i32.const 0
i32.const 0
select
drop
drop
drop
f32.demote/f64
f64.const 0
f64.const 0
i32.const 0
select
set_global 1
i32.const 0
i32.const 0
i32.const 0
select
i64.const 0
get_global 2
drop
drop
drop
)
)
`)));
})
Backtrace:
#0 js_free (p=<error reading variable: Cannot access memory at address 0x20>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:257
#1 js::wasm::GlobalSegment::~GlobalSegment (this=0x7fd144616250, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:878
#2 js_delete<js::wasm::GlobalSegment> (p=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:383
#3 JS::DeletePolicy<js::wasm::GlobalSegment>::operator() (this=<optimized out>, ptr=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:485
#4 mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >::reset (aPtr=0x0, this=0x7fff2d04dfe0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/mozilla/UniquePtr.h:343
/snip
For detailed crash information, see attachment.
js_free is on the stack, setting s-s as a start.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ba901f83a5fd
user: Luke Wagner
date: Fri Jun 23 18:03:19 2017 -0500
summary: Bug 1374218 - Baldr: ensure alignment of TlsData (r=lth)
Luke, is bug 1374218 a likely regressor?
Flags: needinfo?(luke)
Summary: Crash [@ js_free] → Crash [@ js_free] involving wasm
Reporter | ||
Updated•7 years ago
|
Summary: Crash [@ js_free] involving wasm → [wasm] Crash [@ js_free]
Assignee | ||
Comment 3•7 years ago
|
||
D'oh, this code was implicitly relying before on js_free(nullptr) being a nop.
Assignee | ||
Comment 4•7 years ago
|
||
Crash at reliably-small offset from null, so I don't think this is s-s.
Comment 5•7 years ago
|
||
Comment on attachment 8882045 [details] [diff] [review]
fix-oom
Review of attachment 8882045 [details] [diff] [review]:
-----------------------------------------------------------------
D'oh indeed.
Attachment #8882045 -
Flags: review?(lhansen) → review+
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d762b3e46153
Baldr: handle null field on OOM (r=lth)
Comment 8•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•