Bug 1877358 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
```
(function (s, foreign, h) {
  "use asm";
  var g = foreign.m;
  function f() {
    g()
  }
  return f;
})(
  this,
  { m: (function(){x}) }
)();
```

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==15424==ERROR: AddressSanitizer: SEGV on unknown address 0x70007fff8003 (pc 0x558f05b9c9df bp 0x7ffc8ed74510 sp 0x7ffc8ed74400 T0)
==15424==The signal is caused by a READ memory access.
    #0 0x558f05b9c9df in JS::Value::toPrivate() const /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-2eb7051ff4ed/objdir-js/dist/include/js/Value.h:1055:46
    #1 0x558f05b9c9df in js::WasmTagObject::tagType() const /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3587:50
    #2 0x558f05b9c9df in js::WasmExceptionObject::create(JSContext*, JS::Handle<js::WasmTagObject*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3797:33
    #3 0x558f05bf705a in js::WasmExceptionObject::wrapJSValue(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3834:7
    #4 0x558f05ad815c in GetOrWrapWasmException(js::jit::JitActivation*, JSContext*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:619:17
    #5 0x558f05ad815c in js::wasm::HandleThrow(JSContext*, js::wasm::WasmFrameIter&, js::jit::ResumeFromException*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:668:40
    #6 0x558f05ada40f in WasmHandleThrow(js::jit::ResumeFromException*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:780:3
    #7 0x368e2db17559  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-2eb7051ff4ed/objdir-js/dist/include/js/Value.h:1055:46 in JS::Value::toPrivate() const
==15424==ABORTING
```

Run with `--fuzzing-safe --no-threads --ion-eager --no-wasm-exceptions`, compile with `AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2eb7051ff4ed.

Ryan, is bug 1873776 a likely regressor? Setting s-s to be safe.
Revision 1 by
on 
```
(function (s, foreign, h) {
  "use asm";
  var g = foreign.m;
  function f() {
    g()
  }
  return f;
})(
  this,
  { m: (function(){x}) }
)();
```

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==15424==ERROR: AddressSanitizer: SEGV on unknown address 0x70007fff8003 (pc 0x558f05b9c9df bp 0x7ffc8ed74510 sp 0x7ffc8ed74400 T0)
==15424==The signal is caused by a READ memory access.
    #0 0x558f05b9c9df in JS::Value::toPrivate() const /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-2eb7051ff4ed/objdir-js/dist/include/js/Value.h:1055:46
    #1 0x558f05b9c9df in js::WasmTagObject::tagType() const /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3587:50
    #2 0x558f05b9c9df in js::WasmExceptionObject::create(JSContext*, JS::Handle<js::WasmTagObject*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3797:33
    #3 0x558f05bf705a in js::WasmExceptionObject::wrapJSValue(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmJS.cpp:3834:7
    #4 0x558f05ad815c in GetOrWrapWasmException(js::jit::JitActivation*, JSContext*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:619:17
    #5 0x558f05ad815c in js::wasm::HandleThrow(JSContext*, js::wasm::WasmFrameIter&, js::jit::ResumeFromException*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:668:40
    #6 0x558f05ada40f in WasmHandleThrow(js::jit::ResumeFromException*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:780:3
    #7 0x368e2db17559  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-2eb7051ff4ed/objdir-js/dist/include/js/Value.h:1055:46 in JS::Value::toPrivate() const
==15424==ABORTING
```

```
The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/aa4e04a7fa90
user:        Ryan Hunt
date:        Thu Jan 25 13:08:36 2024 +0000
summary:     Bug 1873776 - wasm: Wrap thrown non-WebAssembly.Exception values in a WebAssembly.Exception when unwinding. r=yury
```

Run with `--fuzzing-safe --no-threads --ion-eager --no-wasm-exceptions`, compile with `AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2eb7051ff4ed.

Ryan, is bug 1873776 a likely regressor? Setting s-s to be safe.

Back to Bug 1877358 Comment 0