Closed Bug 1507564 Opened 6 years ago Closed 6 years ago

Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767

Categories

(Core :: JavaScript: WebAssembly, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 64+ fixed
firefox63 - wontfix
firefox64 + fixed
firefox65 + fixed

People

(Reporter: bbouvier, Assigned: bbouvier)

References

Details

Attachments

(1 file)

The following test case (reduced from a bigger one found by awsm) crashes the 32 bits x86 shells with Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767. let i = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (func $f (result f32) f32.const nan:0x42 ) (table (export "table") 10 anyfunc) (elem (i32.const 0) $f) ) `))).exports; print(i.table.get(0)()); It's a null deref in opt builds, so keeping open. Patch incoming.
A lazy stub could generate CodeLabels on x86, because of a constant NaN generated for the entry's epilogue that ended up in a constant pool. We need to actually bind these code labels in general.
We should track this and get it in as many versions of Firefox that we could. While not sec-critical, it causes crashes that end up being under wasm::Instance::callExport which is our general bucket of wasm crashes. I think it's there since bug 1422043 which implemented the lazy stubs.
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a42e724df88 Bind code labels when generating lazy table stubs; r=luke
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
This grafts cleanly to Beta/ESR60 as-landed. Please request approval when you get a chance.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: Bug 1422043 User impact if declined: Crashes in wasm code on x86 32 bits. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Very small patch. String changes made/needed:
Flags: needinfo?(bbouvier)
Attachment #9025429 - Flags: approval-mozilla-beta?
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: See previous comment. User impact if declined: Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): String or UUID changes made by this patch:
Attachment #9025429 - Flags: approval-mozilla-esr60?
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke wasm crash fix, approved for 64.0b11 and 60.4.0esr
Attachment #9025429 - Flags: approval-mozilla-esr60?
Attachment #9025429 - Flags: approval-mozilla-esr60+
Attachment #9025429 - Flags: approval-mozilla-beta?
Attachment #9025429 - Flags: approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: