Closed Bug 1336054 Opened 8 years ago Closed 8 years ago

Crash [@ ResolveExpr]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
30.78 KB, text/plain
Details
Bug 1336054: Add allocation check in wasmTextToBinary's ParseBlock;
59 bytes, text/x-review-board-request
luke
: review+
Details
The following testcase crashes on mozilla-central revision f985243bb630 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): // Adapted from randomly chosen test: js/src/jit-test/tests/wasm/regress/reserve-joinreg.js oomTest((function () { wasmTextToBinary("(module(func(loop $label1 $label0)))"); })) Backtrace: 0 js-dbg-64-dm-clang-darwin-f985243bb630 0x00000001064b5007 ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&) + 23 (WasmTextToBinary.cpp:3747) 1 js-dbg-64-dm-clang-darwin-f985243bb630 0x00000001064b508c ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&) + 156 (WasmTextToBinary.cpp:3509) 2 js-dbg-64-dm-clang-darwin-f985243bb630 0x0000000106489879 js::wasm::TextToBinary(char16_t const*, mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<char [], JS::FreePolicy>*) + 4025 (WasmTextToBinary.cpp:3912) 3 js-dbg-64-dm-clang-darwin-f985243bb630 0x0000000105f1b8ca WasmTextToBinary(JSContext*, unsigned int, JS::Value*) + 762 (TestingFunctions.cpp:551) 4 js-dbg-64-dm-clang-darwin-f985243bb630 0x0000000105b6e50e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:263) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/958074f3b830 user: Dan Gohman date: Fri Sep 23 09:13:15 2016 -0500 summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke) Dan, is bug 1287220 a likely regressor?
Blocks: 1287220
Flags: needinfo?(sunfish)
Flags: needinfo?(sunfish)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
TextToBinary is not exposed to content (it's shell only), so we can just wontfix firefox52 and firefox53, unless fuzzers fuzz there too and strongly want it.
status-firefox52: --- → wontfix
status-firefox53: --- → wontfix
Component: JavaScript Engine → JavaScript Engine: JIT
Comment on attachment 8832840 [details] Bug 1336054: Add allocation check in wasmTextToBinary's ParseBlock; https://reviewboard.mozilla.org/r/109092/#review110298
Attachment #8832840 - Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f7b9640e63f0 Add allocation check in wasmTextToBinary's ParseBlock; r=luke
https://hg.mozilla.org/mozilla-central/rev/f7b9640e63f0
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: