Closed Bug 1368844 Opened 8 years ago Closed 8 years ago

WebAssembly.Memory thows assert

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox53 - wontfix
firefox54 + wontfix
firefox55 + fixed

People

(Reporter: natashenka, Assigned: bbouvier)

References

Details

Attachments

(1 file, 1 obsolete file)

fix.patch
10.61 KB, patch
bbouvier
: review+
gchang
: approval-mozilla-beta-
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: Ran the following code in a debug build of spidermonkey: var a = new WebAssembly.Memory({initial: 59199}); Actual results: An assert fired: Assertion failure: length <= (2147483647), at /home/user/test_everywhere/spidermonkey/js/src/vm/ArrayBufferObject.cpp:895 Segmentation fault (core dumped) Expected results: No asserts.
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Thanks for opening an issue! [Tracking Requested - why for this release]: simple way to DOS a browser
Assignee: nobody → bbouvier
Blocks: wasm
Status: UNCONFIRMED → ASSIGNED
tracking-firefox53: --- → ?
tracking-firefox54: --- → ?
tracking-firefox55: --- → ?
Component: JavaScript Engine → JavaScript Engine: JIT
Ever confirmed: true
Attached patch checkinternal.patch (obsolete) — Splinter Review
Attachment #8873076 - Flags: review?(luke)
Comment on attachment 8873076 [details] [diff] [review] checkinternal.patch Review of attachment 8873076 [details] [diff] [review]: ----------------------------------------------------------------- Ooph, thanks. Could you add release asserts to ArrayBufferObject::createForWasm() that initial/maximum are less than their respective MaxMemory*Pages?
Attachment #8873076 - Flags: review?(luke) → review+
Yes, I've added the assert for the initial. For maximum, since the maximal value is 2**32 - 1, and the maximum value is an u32, the assert would be tautological.
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/27a355cf6036 Check WebAssembly.{Memory,Table} sizes against internal limits; r=luke
https://hg.mozilla.org/mozilla-central/rev/27a355cf6036
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Attached patch fix.patchSplinter Review
Approval Request Comment [Feature/Bug causing the regression]: wasm [User impact if declined]: easy way to DOS firefox [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: not much [Why is the change risky/not risky?]: conservative, small change [String changes made/needed]: n/a
Attachment #8873076 - Attachment is obsolete: true
Attachment #8874837 - Flags: review+
Attachment #8874837 - Flags: approval-mozilla-beta?
Is ESR52 also affected?
Flags: needinfo?(bbouvier)
Comment on attachment 8874837 [details] [diff] [review] fix.patch 54 RC build is released today. Beta54- and mark 54 won't fix.
Attachment #8874837 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
(In reply to Ryan VanderMeulen [:RyanVM] from comment #9) > Is ESR52 also affected? No, wasm is disabled on esr52.
status-firefox-esr52: --- → unaffected
Flags: needinfo?(bbouvier)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: