Bug 1567040 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

The following testcase crashes on mozilla-central revision b6d154b23098 (build with --enable-debug --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=baseline):

    // Adapted from randomly chosen test: js/src/jit-test/tests/wasm/regress/oom-masm-baseline.js
    oomTest(function() {
        return new WebAssembly.Module(wasmTextToBinary("(module (func i32.const 0))"));
    });

Backtrace:

```
Direct leak of 12 byte(s) in 1 object(s) allocated from:
    #0 0x55ead0c059f3 in __interceptor_malloc (/home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/js-dbg-64-asan-linux-x86_64-b6d154b23098+0x262c9f3)
    #1 0x55ead3406155 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/objdir-js/dist/include/js/Utility.h:392:10
    #2 0x55ead3406155 in js_malloc(unsigned long) /home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/objdir-js/dist/include/js/Utility.h:396
    #3 0x55ead3406155 in js::wasm::StackMap::create(unsigned int) js/src/wasm/WasmGC.h:89
    #4 0x55ead3bd34b3 in js::wasm::StackMapGenerator::createStackMap(char const*, mozilla::Vector<bool, 32ul, js::SystemAllocPolicy> const&, unsigned int, js::wasm::HasRefTypedDebugFrame, mozilla::Vector<js::wasm::Stk, 0ul, js::SystemAllocPolicy> const&) js/src/wasm/WasmBaselineCompile.cpp:2346:26
    #5 0x55ead3babe0c in js::wasm::BaseCompiler::createStackMap(char const*, mozilla::Vector<bool, 32ul, js::SystemAllocPolicy> const&, unsigned int, js::wasm::HasRefTypedDebugFrame) js/src/wasm/WasmBaselineCompile.cpp:3296:31
/snip
```

For detailed crash information, see attachment.
The following testcase crashes on mozilla-central revision b6d154b23098 (build with --enable-debug --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=baseline and the environment variables ASAN_OPTIONS=detect_leaks=1 LSAN_OPTIONS=max_leaks=1):

    // Adapted from randomly chosen test: js/src/jit-test/tests/wasm/regress/oom-masm-baseline.js
    oomTest(function() {
        return new WebAssembly.Module(wasmTextToBinary("(module (func i32.const 0))"));
    });

Backtrace:

```
Direct leak of 12 byte(s) in 1 object(s) allocated from:
    #0 0x55ead0c059f3 in __interceptor_malloc (/home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/js-dbg-64-asan-linux-x86_64-b6d154b23098+0x262c9f3)
    #1 0x55ead3406155 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/objdir-js/dist/include/js/Utility.h:392:10
    #2 0x55ead3406155 in js_malloc(unsigned long) /home/ubuntu/shell-cache/js-dbg-64-asan-linux-x86_64-b6d154b23098/objdir-js/dist/include/js/Utility.h:396
    #3 0x55ead3406155 in js::wasm::StackMap::create(unsigned int) js/src/wasm/WasmGC.h:89
    #4 0x55ead3bd34b3 in js::wasm::StackMapGenerator::createStackMap(char const*, mozilla::Vector<bool, 32ul, js::SystemAllocPolicy> const&, unsigned int, js::wasm::HasRefTypedDebugFrame, mozilla::Vector<js::wasm::Stk, 0ul, js::SystemAllocPolicy> const&) js/src/wasm/WasmBaselineCompile.cpp:2346:26
    #5 0x55ead3babe0c in js::wasm::BaseCompiler::createStackMap(char const*, mozilla::Vector<bool, 32ul, js::SystemAllocPolicy> const&, unsigned int, js::wasm::HasRefTypedDebugFrame) js/src/wasm/WasmBaselineCompile.cpp:3296:31
/snip
```

For detailed crash information, see attachment.

Back to Bug 1567040 Comment 0