Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767

RESOLVED FIXED in Firefox -esr60

Status

()

defect
RESOLVED FIXED
8 months ago
8 months ago

People

(Reporter: bbouvier, Assigned: bbouvier)

Tracking

(Blocks 1 bug)

unspecified
mozilla65
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr6064+ fixed, firefox63- wontfix, firefox64+ fixed, firefox65+ fixed)

Details

Attachments

(1 attachment)

The following test case (reduced from a bigger one found by awsm) crashes the 32 bits x86 shells with Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767.

let i = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
(module
    (func $f (result f32)
        f32.const nan:0x42
    )
    (table (export "table") 10 anyfunc)
    (elem (i32.const 0) $f)
)
`))).exports;

print(i.table.get(0)());

It's a null deref in opt builds, so keeping open. Patch incoming.
A lazy stub could generate CodeLabels on x86, because of a constant NaN
generated for the entry's epilogue that ended up in a constant pool. We need to
actually bind these code labels in general.
We should track this and get it in as many versions of Firefox that we could. While not sec-critical, it causes crashes that end up being under wasm::Instance::callExport which is our general bucket of wasm crashes. I think it's there since bug 1422043 which implemented the lazy stubs.
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5a42e724df88
Bind code labels when generating lazy table stubs; r=luke
https://hg.mozilla.org/mozilla-central/rev/5a42e724df88
Status: ASSIGNED → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
This grafts cleanly to Beta/ESR60 as-landed. Please request approval when you get a chance.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1422043

User impact if declined: Crashes in wasm code on x86 32 bits.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Very small patch.

String changes made/needed:
Flags: needinfo?(bbouvier)
Attachment #9025429 - Flags: approval-mozilla-beta?
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: See previous comment.

User impact if declined: 

Fix Landed on Version: 

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String or UUID changes made by this patch:
Attachment #9025429 - Flags: approval-mozilla-esr60?
Comment on attachment 9025429 [details]
Bug 1507564: Bind code labels when generating lazy table stubs; r?luke

wasm crash fix, approved for 64.0b11 and 60.4.0esr
Attachment #9025429 - Flags: approval-mozilla-esr60?
Attachment #9025429 - Flags: approval-mozilla-esr60+
Attachment #9025429 - Flags: approval-mozilla-beta?
Attachment #9025429 - Flags: approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.