Closed
Bug 1507564
Opened 6 years ago
Closed 6 years ago
Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
People
(Reporter: bbouvier, Assigned: bbouvier)
References
Details
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr60+
|
Details | Review |
The following test case (reduced from a bigger one found by awsm) crashes the 32 bits x86 shells with Assertion failure: !masm.numCodeLabels(), at /js/src/wasm/WasmCode.cpp:767. let i = new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (func $f (result f32) f32.const nan:0x42 ) (table (export "table") 10 anyfunc) (elem (i32.const 0) $f) ) `))).exports; print(i.table.get(0)()); It's a null deref in opt builds, so keeping open. Patch incoming.
Assignee | ||
Comment 1•6 years ago
|
||
A lazy stub could generate CodeLabels on x86, because of a constant NaN generated for the entry's epilogue that ended up in a constant pool. We need to actually bind these code labels in general.
Assignee | ||
Comment 2•6 years ago
|
||
We should track this and get it in as many versions of Firefox that we could. While not sec-critical, it causes crashes that end up being under wasm::Instance::callExport which is our general bucket of wasm crashes. I think it's there since bug 1422043 which implemented the lazy stubs.
Updated•6 years ago
|
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox65:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → 64+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a42e724df88 Bind code labels when generating lazy table stubs; r=luke
Comment 4•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/5a42e724df88
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 5•6 years ago
|
||
This grafts cleanly to Beta/ESR60 as-landed. Please request approval when you get a chance.
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
Assignee | ||
Comment 6•6 years ago
|
||
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: Bug 1422043 User impact if declined: Crashes in wasm code on x86 32 bits. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): Very small patch. String changes made/needed:
Flags: needinfo?(bbouvier)
Attachment #9025429 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 7•6 years ago
|
||
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: See previous comment. User impact if declined: Fix Landed on Version: Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): String or UUID changes made by this patch:
Attachment #9025429 -
Flags: approval-mozilla-esr60?
Comment 8•6 years ago
|
||
Comment on attachment 9025429 [details] Bug 1507564: Bind code labels when generating lazy table stubs; r?luke wasm crash fix, approved for 64.0b11 and 60.4.0esr
Attachment #9025429 -
Flags: approval-mozilla-esr60?
Attachment #9025429 -
Flags: approval-mozilla-esr60+
Attachment #9025429 -
Flags: approval-mozilla-beta?
Attachment #9025429 -
Flags: approval-mozilla-beta+
Comment 9•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-esr60/rev/60619cc47b10
Comment 10•6 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/f6a1e485be9a
You need to log in
before you can comment on or make changes to this bug.
Description
•