Closed
Bug 1497612
Opened 6 years ago
Closed 6 years ago
Assertion failure: cursor == begin + size, at js/src/wasm/WasmModule.cpp:226 with OOM
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla64
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | fixed |
People
(Reporter: decoder, Assigned: luke)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
2.20 KB,
patch
|
lth
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a9616aaeff87 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): oomTest(new Function(` const {Module, Instance, compileStreaming} = WebAssembly; function testCached(code, imports, test) { code = wasmTextToBinary(code); let cache = streamCacheEntry(code); compileStreaming(cache) drainJobQueue(); } testCached( \`(module (func (export "run") (result i32) (i32.const 42)))\`); `)); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5905700 (LWP 20622)] 0x000055555622857b in js::wasm::Module::serialize (this=this@entry=0x7ffff49e0de0, linkData=..., begin=<optimized out>, size=1915) at js/src/wasm/WasmModule.cpp:226 #0 0x000055555622857b in js::wasm::Module::serialize (this=this@entry=0x7ffff49e0de0, linkData=..., begin=<optimized out>, size=1915) at js/src/wasm/WasmModule.cpp:226 #1 0x000055555622b62a in js::wasm::Module::serialize (this=0x7ffff49e0de0, linkData=..., listener=...) at js/src/wasm/WasmModule.cpp:321 #2 0x00005555561f8b22 in js::wasm::ModuleGenerator::finishModule (this=this@entry=0x7ffff5902c90, bytecode=..., maybeTier2Listener=0x7ffff5fc1a20, maybeLinkDataOut=maybeLinkDataOut@entry=0x0) at js/src/wasm/WasmGenerator.cpp:1148 #3 0x0000555556186675 in js::wasm::CompileStreaming (args=..., envBytes=..., codeBytes=..., codeBytesEnd=..., exclusiveStreamEnd=..., cancelled=..., error=<optimized out>, warnings=<optimized out>) at js/src/wasm/WasmCompile.cpp:779 #4 0x000055555624087f in CompileStreamTask::execute (this=0x7ffff4916800) at js/src/wasm/WasmJS.cpp:3225 #5 0x0000555555f72df4 in js::HelperThread::handlePromiseHelperTaskWorkload (this=0x7ffff5f06d80, locked=...) at js/src/vm/HelperThreads.cpp:2157 #6 0x0000555555f5e9ac in js::HelperThread::threadLoop (this=this@entry=0x7ffff5f06d80) at js/src/vm/HelperThreads.cpp:2642 #7 0x0000555555f5ebb0 in js::HelperThread::ThreadMain (arg=0x7ffff5f06d80) at js/src/vm/HelperThreads.cpp:2085 #8 0x0000555555f835d2 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f1b080) at js/src/threading/Thread.h:243 #9 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f1b080) at js/src/threading/Thread.h:236 #10 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5905700) at pthread_create.c:333 #11 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff49e0df0 140737297386992 rcx 0x7ffff6c1c2dd 140737333281501 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7ffff5902670 140737313252976 rsp 0x7ffff59025e0 140737313252832 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff5905700 140737313265408 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x7ffff5f91f7b 140737320132475 r13 0xd 13 r14 0x7ffff5fc1a20 140737320327712 r15 0x7ffff49e0de0 140737297386976 rip 0x55555622857b <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+971> => 0x55555622857b <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+971>: movl $0x0,0x0 0x555556228586 <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+982>: ud2 Marking s-s because this is a range/length-like assertion.
Assignee | ||
Comment 1•6 years ago
|
||
Taking. But not s-s since this caching path is currently shell-only and not (yet) content-exposed.
Assignee: nobody → luke
Assignee | ||
Comment 2•6 years ago
|
||
Oops, forgot to check oom value. Two of these callers are in an infallible environment and we're also talking about a <20 byte value here, so it seems simpler to just use an infallible allocation. This feature isn't web-exposed, just tested by the shell, so this is not s-s.
Attachment #9015759 -
Flags: review?(lhansen)
Updated•6 years ago
|
Attachment #9015759 -
Flags: review?(lhansen) → review+
Comment 3•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/43a51bc9a77d
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Updated•6 years ago
|
status-firefox62:
--- → unaffected
status-firefox63:
--- → unaffected
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•