Closed
Bug 1246957
Opened 8 years ago
Closed 8 years ago
[wasm] Crash [@ js::shadow::Object::numFixedSlots]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
Tracking | Status | |
---|---|---|
firefox47 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
21 bytes,
application/octet-stream
|
Details | |
2.28 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-central revision 815d689a6e1e+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests, run with ). To reproduce, you can run the following code in the JS shell: var data = os.file.readFile(file, 'binary'); wasmEval(data.buffer); Backtrace: ==14669==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000001ca986c bp 0x7fff3bfb9bd0 sp 0x7fff3bfb9bb0 T0) #0 0x1ca986b in js::shadow::Object::numFixedSlots() const js/src/jsfriendapi.h:582:43 #1 0x1ca986b in js::NativeObject::numFixedSlots() const js/src/vm/NativeObject.h:608 #2 0x1ca986b in js::NativeObject::slotInRange(unsigned int, js::NativeObject::SentinelAllowed) const js/src/vm/NativeObject.cpp:224 #3 0x1a1dbc2 in js::NativeObject::getSlot(unsigned int) const js/src/vm/NativeObject.h:770:9 #4 0x1a1dbc2 in js::ArrayBufferObject::dataPointer() const js/src/vm/ArrayBufferObject.cpp:538 #5 0x61299c in DecodeDataSection(JSContext*, js::wasm::Decoder&, JS::Handle<js::ArrayBufferObject*>) js/src/asmjs/Wasm.cpp:917:31 #6 0x61299c in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<js::wasm::ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1016 #7 0x61cd02 in WasmEval(JSContext*, unsigned int, JS::Value*) js/src/asmjs/Wasm.cpp:1171:10 [...] #22 0x489be8 in _start (js/src/debug64afl/js/src/shell/js+0x489be8) This is quite frequent.
Reporter | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
I assume that no memory => no data segments, but maybe the presence of data segments when there's no memory should imply that there is memory, and its size is determined by the offset to the last indexed byte in the last segment? e.g. if there's no memory section but there's a segment for which (offset;size) = (42, 100), then we implicitly alloc memory with size >= 142? (I don't think so, as explicit is better than implicit and the memory declaration seems rather small and important)
Comment 3•8 years ago
|
||
Comment on attachment 8717483 [details] [diff] [review] datasection.patch Review of attachment 8717483 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8717483 -
Flags: review?(luke) → review+
Comment 4•8 years ago
|
||
Oh, just saw your question: we've said that the absence of a memory section, other memory operators are invalid (https://github.com/WebAssembly/design/blob/master/Modules.md#linear-memory-section), so having data segments also not be allowed seems to fall out from this.
Comment 6•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2b116adb0173
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in
before you can comment on or make changes to this bug.
Description
•