Bug 1880770 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-02-18 19:28:34 PST

```
var x = {};
Object.defineProperty(x, "toString", {
  enumerable: true,
  get: function () {
    new WebAssembly.Instance(
      new WebAssembly.Module(
        wasmTextToBinary(
          '(func $f (result f32) f32.const 0)(table (export "g") 1 funcref) (elem (i32.const 0) $f)'
        )
      )
    ).exports.g
      .get(0)
      .type(WebAssembly, "", WebAssembly.Module, {});
  },
});
oomTest(function () {
  Object.values(x);
});
```

```
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00005555586e1a78 in UTF8CharsToString (cx=cx@entry=0x7ffff6b2d100, chars=0x0)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:772
#2  0x00005555586e1727 in ValTypesToArray (cx=cx@entry=0x7ffff6b2d100, valTypes=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:783
#3  0x000055555868a5d8 in FuncTypeToObject (cx=cx@entry=0x7ffff6b2d100, type=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:805
#4  0x000055555869ee8a in WasmFunctionTypeImpl (cx=cx@entry=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4057
#5  0x000055555869f3d2 in JS::CallNonGenericMethod<&(IsWasmFunction(JS::Handle<JS::Value>)), &(WasmFunctionTypeImpl(JSContext*, JS::CallArgs const&))> (cx=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/shell-cache/js-dbg-64-linux-x86_64-2af34b4c9adf/objdir-js/dist/include/js/CallNonGenericMethod.h:103
#6  WasmFunctionType (cx=0x7ffff6b2d100, argc=<optimized out>, vp=<optimized out>)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4067
#7  0x000007535501a3ec in ?? ()
#8  0xaaaaaa0100015905 in ?? ()
#9  0x00007fffffffb800 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb)
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2af34b4c9adf.

This seems to go as far back as 3 months prior, I'll keep trying to bisect. Let me know if this is a benign OOM issue.

Setting s-s to be safe. Yury/Jan, I'm guessing it's WebAssembly here, the patch for bug 1878673 seems to not fix this issue so it might be a separate issue.

Revision 1 by

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

on 2024-02-19 09:26:30 PST

```
var x = {};
Object.defineProperty(x, "", {
  enumerable: true,
  get: function () {
    new WebAssembly.Instance(
      new WebAssembly.Module(
        wasmTextToBinary(
          '(func $f (result f32) f32.const 0)(table (export "g") 1 funcref) (elem (i32.const 0) $f)'
        )
      )
    ).exports.g
      .get(0)
      .type(WebAssembly, "", WebAssembly.Module, {});
  },
});
oomTest(function () {
  Object.values(x);
});
```

```
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00005555586e1a78 in UTF8CharsToString (cx=cx@entry=0x7ffff6b2d100, chars=0x0)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:772
#2  0x00005555586e1727 in ValTypesToArray (cx=cx@entry=0x7ffff6b2d100, valTypes=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:783
#3  0x000055555868a5d8 in FuncTypeToObject (cx=cx@entry=0x7ffff6b2d100, type=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:805
#4  0x000055555869ee8a in WasmFunctionTypeImpl (cx=cx@entry=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4057
#5  0x000055555869f3d2 in JS::CallNonGenericMethod<&(IsWasmFunction(JS::Handle<JS::Value>)), &(WasmFunctionTypeImpl(JSContext*, JS::CallArgs const&))> (cx=0x7ffff6b2d100, args=...)
    at /home/w11x500-lin/shell-cache/js-dbg-64-linux-x86_64-2af34b4c9adf/objdir-js/dist/include/js/CallNonGenericMethod.h:103
#6  WasmFunctionType (cx=0x7ffff6b2d100, argc=<optimized out>, vp=<optimized out>)
    at /home/w11x500-lin/trees/mozilla-central/js/src/wasm/WasmJS.cpp:4067
#7  0x000007535501a3ec in ?? ()
#8  0xaaaaaa0100015905 in ?? ()
#9  0x00007fffffffb800 in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb)
```

Run with `--fuzzing-safe --no-threads --no-baseline --no-ion`, compile with `AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests`, tested on m-c rev 2af34b4c9adf.

This seems to go as far back as 3 months prior, I'll keep trying to bisect. Let me know if this is a benign OOM issue.

Setting s-s to be safe. Yury/Jan, I'm guessing it's WebAssembly here, the patch for bug 1878673 seems to not fix this issue so it might be a separate issue.

Back to Bug 1880770 Comment 0