Closed
Bug 1507564
Opened 6 years ago
Closed 6 years ago
Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
People
(Reporter: bbouvier, Assigned: bbouvier)
References
Details
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr60+
|
Details | Review |
The following test case (reduced from a bigger one found by awsm) crashes the 32 bits x86 shells with Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767.
let i = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
(module
(func $f (result f32)
f32.const nan:0x42
)
(table (export "table") 10 anyfunc)
(elem (i32.const 0) $f)
)
`))).exports;
print(i.table.get(0)());
It's a null deref in opt builds, so keeping open. Patch incoming.
Assignee | ||
Comment 1•6 years ago
|
||
A lazy stub could generate CodeLabels on x86, because of a constant NaN
generated for the entry's epilogue that ended up in a constant pool. We need to
actually bind these code labels in general.
Assignee | ||
Comment 2•6 years ago
|
||
We should track this and get it in as many versions of Firefox that we could. While not sec-critical, it causes crashes that end up being under wasm::Instance::callExport which is our general bucket of wasm crashes. I think it's there since bug 1422043 which implemented the lazy stubs.
Updated•6 years ago
|
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox65:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → 64+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5a42e724df88
Bind code labels when generating lazy table stubs; r=luke
Comment 4•6 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 5•6 years ago
|
||
This grafts cleanly to Beta/ESR60 as-landed. Please request approval when you get a chance.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Assignee | ||
Comment 6•6 years ago
|
||
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Bug 1422043
User impact if declined: Crashes in wasm code on x86 32 bits.
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Very small patch.
String changes made/needed:
Flags: needinfo?(bbouvier)
Attachment #9025429 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 7•6 years ago
|
||
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: See previous comment.
User impact if declined:
Fix Landed on Version:
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky):
String or UUID changes made by this patch:
Attachment #9025429 -
Flags: approval-mozilla-esr60?
Comment 8•6 years ago
|
||
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke
wasm crash fix, approved for 64.0b11 and 60.4.0esr
Attachment #9025429 -
Flags: approval-mozilla-esr60?
Attachment #9025429 -
Flags: approval-mozilla-esr60+
Attachment #9025429 -
Flags: approval-mozilla-beta?
Attachment #9025429 -
Flags: approval-mozilla-beta+
Comment 9•6 years ago
|
||
bugherder uplift |
Comment 10•6 years ago
|
||
bugherder uplift |
You need to log in
before you can comment on or make changes to this bug.
Description
•