Closed Bug 1336054 Opened 7 years ago Closed 7 years ago

Crash [@ ResolveExpr]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
30.78 KB, text/plain
Details
Bug 1336054: Add allocation check in wasmTextToBinary's ParseBlock;
59 bytes, text/x-review-board-request
luke
: review+
Details 
The following testcase crashes on mozilla-central revision f985243bb630 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

// Adapted from randomly chosen test: js/src/jit-test/tests/wasm/regress/reserve-joinreg.js
oomTest((function () {
    wasmTextToBinary("(module(func(loop $label1 $label0)))");
}))

Backtrace:

0   js-dbg-64-dm-clang-darwin-f985243bb630	0x00000001064b5007 ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&) + 23 (WasmTextToBinary.cpp:3747)
1   js-dbg-64-dm-clang-darwin-f985243bb630	0x00000001064b508c ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&) + 156 (WasmTextToBinary.cpp:3509)
2   js-dbg-64-dm-clang-darwin-f985243bb630	0x0000000106489879 js::wasm::TextToBinary(char16_t const*, mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<char [], JS::FreePolicy>*) + 4025 (WasmTextToBinary.cpp:3912)
3   js-dbg-64-dm-clang-darwin-f985243bb630	0x0000000105f1b8ca WasmTextToBinary(JSContext*, unsigned int, JS::Value*) + 762 (TestingFunctions.cpp:551)
4   js-dbg-64-dm-clang-darwin-f985243bb630	0x0000000105b6e50e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:263)
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/958074f3b830
user:        Dan Gohman
date:        Fri Sep 23 09:13:15 2016 -0500
summary:     Bug 1287220 - Baldr: update to binary version 0xc (r=luke)

Dan, is bug 1287220 a likely regressor?
Blocks: 1287220
Flags: needinfo?(sunfish)
Flags: needinfo?(sunfish)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
TextToBinary is not exposed to content (it's shell only), so we can just wontfix firefox52 and firefox53, unless fuzzers fuzz there too and strongly want it.
status-firefox52: --- → wontfix
status-firefox53: --- → wontfix
Component: JavaScript Engine → JavaScript Engine: JIT
Comment on attachment 8832840 [details]
Bug 1336054: Add allocation check in wasmTextToBinary's ParseBlock;

https://reviewboard.mozilla.org/r/109092/#review110298
Attachment #8832840 - Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f7b9640e63f0
Add allocation check in wasmTextToBinary's ParseBlock; r=luke
https://hg.mozilla.org/mozilla-central/rev/f7b9640e63f0
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: