Closed Bug 1529349 Opened 10 months ago Closed 10 months ago

Crash in [@ js::wasm::CompileStreaming]

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed
firefox67 --- fixed

People

(Reporter: marcia, Assigned: luke)

References

()

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-68fa5cd1-00f3-419b-a3bd-eda8e0190220.

Seen while looking at nightly crash stats, but doesn't appear to be new to 67: https://bit.ly/2GTNJKD. 23 crashes/8 installs on nightly in the last 7 days.

The crash reason is MOZ_RELEASE_ASSERT(mIsSome)

This crash is reproducible using this site: https://rustwasm.github.io/wasm-bindgen/exbuild/webgl/

Top 9 frames of crashing thread:

0 XUL js::wasm::CompileStreaming mfbt/Maybe.h:494
1 XUL CompileStreamTask::execute js/src/wasm/WasmJS.cpp:3368
2 XUL js::HelperThread::handlePromiseHelperTaskWorkload js/src/vm/HelperThreads.cpp:2001
3 XUL js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2463
4 XUL js::detail::ThreadTrampoline<void  js/src/threading/Thread.h:239
5  @0x7fff60fd62ea 
6  @0x7fff60fd9248 
7  @0x7fff60fd540c 
8 XUL XUL@0x572636f 

https://github.com/rustwasm/wasm-bindgen/blob/gh-pages/exbuild/webgl/90181a3120a9933288c1.module.wasm + the following makes it trivial to trigger assertions in a debug build:

var file = os.file.readFile('./90181a3120a9933288c1.module.wasm', 'binary');
WebAssembly.compileStreaming(file);
drainJobQueue();

Seems to be Luke's territory :)

Attached patch fix-streamingSplinter Review

Arg, StartsCodeSection()=true and DecodeModuleEnvironment()=true doesn't imply that a code section was actually decoded: if there is an unexpected section before the code section in the module environment, then DecodeModuleEnvironment() will just stop. Simple fix, though.

Assignee: nobody → luke
Attachment #9045793 - Flags: review?(bbouvier)
Comment on attachment 9045793 [details] [diff] [review]
fix-streaming

Review of attachment 9045793 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!
Attachment #9045793 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/191134cfd07c
Baldr: detect invalid section before code section during streaming compilation (r=bbouvier)
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Please nominate this for Beta approval if you feel it's reasonable to do so.

Flags: needinfo?(luke)
Flags: in-testsuite+

Comment on attachment 9045793 [details] [diff] [review]
fix-streaming

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: Bug 1347644
  • User impact if declined: Potential crash on malformed .wasm files
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It's a simple problem and fix.
  • String changes made/needed:
Flags: needinfo?(luke)
Attachment #9045793 - Flags: approval-mozilla-beta?
Comment on attachment 9045793 [details] [diff] [review]
fix-streaming

Fix for a low volume crash, looks safe enough, has test coverage. 
OK for uplift to beta 12.
Attachment #9045793 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.