Closed Bug 1449589 Opened 7 years ago Closed 7 years ago

Assertion failure: false (!frames->empty()), at js/src/vm/SavedStacks.cpp:143 with streaming wasm compilation

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1445973
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

The following testcase crashes on mozilla-central revision b906009d875d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe): loadFile(` function testBoth(source, exportName, expectedValue) { WebAssembly.compileStreaming(code).then(m => { module = m }); drainJobQueue(); } var code = wasmTextToBinary('(module (func (export "run") (result i32) i32.const 42))'); testBoth(code, 'run', 42); `); function loadFile(lfVarx) { try { oomTest(function() { eval(lfVarx); }); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0880239f in js::LiveSavedFrameCache::find (this=0xffffaed0, cx=0xf6e1d800, framePtr=..., pc=0xf57a3103 <incomplete sequence \347>, frame=...) at js/src/vm/SavedStacks.cpp:143 #0 0x0880239f in js::LiveSavedFrameCache::find (this=0xffffaed0, cx=0xf6e1d800, framePtr=..., pc=0xf57a3103 <incomplete sequence \347>, frame=...) at js/src/vm/SavedStacks.cpp:143 #1 0x08809343 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0xf6e22890, cx=0xf6e1d800, frame=..., capture=...) at js/src/vm/SavedStacks.cpp:1406 #2 0x0880a331 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (this=0xf6e22890, cx=0xf6e1d800, frame=..., capture=...) at js/src/vm/SavedStacks.cpp:1242 #3 0x085c575f in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) (cx=0xf6e1d800, stackp=..., capture=...) at js/src/jsapi.cpp:7755 #4 0x082395e2 in PromiseDebugInfo::setResolutionInfo (cx=0xf6e1d800, promise=...) at js/src/builtin/Promise.cpp:274 #5 0x08220bc1 in js::PromiseObject::onSettled (cx=0xf6e1d800, promise=...) at js/src/builtin/Promise.cpp:3474 #6 0x08220d61 in ResolvePromise (cx=0xf6e1d800, promise=..., valueOrReason=..., state=JS::PromiseState::Fulfilled) at js/src/builtin/Promise.cpp:804 #7 0x082216ec in FulfillMaybeWrappedPromise (cx=0xf6e1d800, promiseObj=..., value_=...) at js/src/builtin/Promise.cpp:837 #8 0x08222202 in ResolvePromiseInternal (cx=0xf6e1d800, promise=..., resolutionVal=...) at js/src/builtin/Promise.cpp:563 #9 0x08222a12 in RunResolutionFunction (cx=0xf6e1d800, resolutionFun=..., result=..., mode=ResolveMode, promiseObj=...) at js/src/builtin/Promise.cpp:1924 #10 0x08227427 in PromiseReactionJob (cx=0xf6e1d800, argc=0, vp=0xffffa980) at js/src/builtin/Promise.cpp:1250 #11 0x081af0e9 in js::CallJSNative (cx=0xf6e1d800, native=0x8226be0 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290 #12 0x081a42ad in js::InternalCallOrConstruct (cx=0xf6e1d800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #13 0x081a4670 in InternalCall (cx=cx@entry=0xf6e1d800, args=...) at js/src/vm/Interpreter.cpp:516 #14 0x081a482a in js::Call (cx=0xf6e1d800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #15 0x085eb57a in JS::Call (cx=0xf6e1d800, thisv=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:3011 #16 0x0871c5a1 in JS::Call (rval=..., args=..., funObj=..., thisv=..., cx=0xf6e1d800) at js/src/jsapi.h:3102 #17 js::RunJobs (cx=0xf6e1d800) at js/src/vm/JSContext.cpp:1224 #18 0x0808ee88 in DrainJobQueue (cx=0xf6e1d800, argc=0, vp=0xf561d178) at js/src/shell/js.cpp:963 #19 0x081af0e9 in js::CallJSNative (cx=0xf6e1d800, native=0x808ee30 <DrainJobQueue(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290 [...] #42 0x0846ea22 in OOMTest (cx=0xf6e1d800, argc=1, vp=0xf561d0b0) at js/src/builtin/TestingFunctions.cpp:1692 [...] #57 0x08082bc8 in main (argc=3, argv=0xffffce04, envp=0xffffce14) at js/src/shell/js.cpp:9420 eax 0x0 0 ebx 0xffffaed0 -20784 ecx 0xf7d9f864 -136710044 edx 0x0 0 esi 0xffff9a44 -26044 edi 0xf6e1d800 -152971264 ebp 0xffff9a68 4294941288 esp 0xffff9a30 4294941232 eip 0x880239f <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+767> => 0x880239f <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+767>: movl $0x0,0x0 0x88023a9 <js::LiveSavedFrameCache::find(JSContext*, js::LiveSavedFrameCache::FramePtr&, unsigned char const*, JS::MutableHandle<js::SavedFrame*>) const+777>: ud2
This might be a duplicate of bug 1445973.
That is my expectation as well.
Yep. This slipped through because the assertion changed in the meanwhile.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.