Crash in [@ js::wasm::CompileStreaming]
Categories
(Core :: JavaScript Engine, defect, critical)
Tracking
()
People
(Reporter: marcia, Assigned: luke)
References
()
Details
(Keywords: crash, regression, reproducible)
Crash Data
Attachments
(1 file)
4.01 KB,
patch
|
bbouvier
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug is for crash report bp-68fa5cd1-00f3-419b-a3bd-eda8e0190220.
Seen while looking at nightly crash stats, but doesn't appear to be new to 67: https://bit.ly/2GTNJKD. 23 crashes/8 installs on nightly in the last 7 days.
The crash reason is MOZ_RELEASE_ASSERT(mIsSome)
This crash is reproducible using this site: https://rustwasm.github.io/wasm-bindgen/exbuild/webgl/
Top 9 frames of crashing thread:
0 XUL js::wasm::CompileStreaming mfbt/Maybe.h:494
1 XUL CompileStreamTask::execute js/src/wasm/WasmJS.cpp:3368
2 XUL js::HelperThread::handlePromiseHelperTaskWorkload js/src/vm/HelperThreads.cpp:2001
3 XUL js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2463
4 XUL js::detail::ThreadTrampoline<void js/src/threading/Thread.h:239
5 @0x7fff60fd62ea
6 @0x7fff60fd9248
7 @0x7fff60fd540c
8 XUL XUL@0x572636f
Comment 1•10 months ago
|
||
https://github.com/rustwasm/wasm-bindgen/blob/gh-pages/exbuild/webgl/90181a3120a9933288c1.module.wasm + the following makes it trivial to trigger assertions in a debug build:
var file = os.file.readFile('./90181a3120a9933288c1.module.wasm', 'binary');
WebAssembly.compileStreaming(file);
drainJobQueue();
Seems to be Luke's territory :)
![]() |
Assignee | |
Comment 2•10 months ago
|
||
Arg, StartsCodeSection()=true and DecodeModuleEnvironment()=true doesn't imply that a code section was actually decoded: if there is an unexpected section before the code section in the module environment, then DecodeModuleEnvironment() will just stop. Simple fix, though.
Comment 3•10 months ago
|
||
Comment on attachment 9045793 [details] [diff] [review] fix-streaming Review of attachment 9045793 [details] [diff] [review]: ----------------------------------------------------------------- Nice!
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/191134cfd07c Baldr: detect invalid section before code section during streaming compilation (r=bbouvier)
Comment 5•10 months ago
|
||
bugherder |
Comment 6•10 months ago
|
||
Please nominate this for Beta approval if you feel it's reasonable to do so.
![]() |
Assignee | |
Comment 7•10 months ago
|
||
Comment on attachment 9045793 [details] [diff] [review]
fix-streaming
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: Bug 1347644
- User impact if declined: Potential crash on malformed .wasm files
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It's a simple problem and fix.
- String changes made/needed:
Comment 8•10 months ago
|
||
Comment on attachment 9045793 [details] [diff] [review] fix-streaming Fix for a low volume crash, looks safe enough, has test coverage. OK for uplift to beta 12.
Comment 9•10 months ago
|
||
bugherderuplift |
Description
•