Closed
Bug 1565301
Opened 6 years ago
Closed 6 years ago
Assertion failure: lineOrBytecode == lineOrBytecode_, at js/src/wasm/WasmTypes.h:1743
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla70
People
(Reporter: decoder, Assigned: bbouvier)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision ad05396bfeed (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):
evaluate(`
offThreadCompileScript("\\
g = (function(t,foreign){\\
\\"use asm\\";\\
var ff = foreign.ff;\\
function f() {\\
+ff()\\
}\\
return f\\
", { lineNumber: (4294967295)});
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::wasm::CallSiteDesc::CallSiteDesc (this=<optimized out>, lineOrBytecode=<optimized out>, kind=<optimized out>) at js/src/wasm/WasmTypes.h:1743
#1 0x0000555556537fa8 in (anonymous namespace)::FunctionCompiler::callImport (def=<synthetic pointer>, funcType=..., call=..., lineOrBytecode=<optimized out>, globalDataOffset=0, this=0x7ffff5cfa4c0) at js/src/wasm/WasmIonCompile.cpp:1079
#2 EmitCall (f=..., asmJSFuncDef=asmJSFuncDef@entry=false) at js/src/wasm/WasmIonCompile.cpp:2010
#3 0x000055555653edc4 in EmitBodyExprs (f=...) at js/src/wasm/WasmIonCompile.cpp:3388
#4 js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff4cf0780, error=error@entry=0x0) at js/src/wasm/WasmIonCompile.cpp:4180
#5 0x000055555654166e in ExecuteCompileTask (task=0x7ffff4cf03d8, error=0x0) at js/src/wasm/WasmGenerator.cpp:736
#6 0x00005555565420bc in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7ffff5cfb530) at js/src/wasm/WasmGenerator.cpp:775
#7 js::wasm::ModuleGenerator::finishFuncDefs (this=this@entry=0x7ffff5cfb530) at js/src/wasm/WasmGenerator.cpp:904
#8 0x00005555565056fe in ModuleValidator<char16_t>::finish (this=this@entry=0x7ffff5cfc7f0) at js/src/wasm/AsmJS.cpp:2159
#9 0x00005555564c5815 in CheckModule<char16_t> (cx=<optimized out>, parser=..., stmtList=stmtList@entry=0x7ffff4cd3210, time=time@entry=0x7ffff5cfcd14) at js/src/wasm/AsmJS.cpp:6413
#10 0x00005555564c6470 in DoCompileAsmJS<char16_t> (validated=0x7ffff5cfcdd7, stmtList=0x7ffff4cd3210, parser=..., cx=<optimized out>) at js/src/wasm/AsmJS.cpp:7084
#11 js::CompileAsmJS (cx=<optimized out>, parser=..., stmtList=0x7ffff4cd3210, validated=validated@entry=0x7ffff5cfcdd7) at js/src/wasm/AsmJS.cpp:7122
#12 0x0000555555f19bde in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS (this=0x7ffff5cff418, list=<optimized out>) at js/src/frontend/Parser.cpp:3328
#13 0x0000555555f6f8d8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7ffff5cff418, yieldHandling=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3497
#14 0x0000555555f736c5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::FunctionSyntaxKind::Expression, type=type@entry=js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::StatementListBody) at js/src/frontend/Parser.cpp:1879
#15 0x0000555555f73f48 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funNode=funNode@entry=0x7ffff5cfd058, kind=kind@entry=js::frontend::FunctionSyntaxKind::Expression, parameterListEnd=..., isStandaloneFunction=false) at js/src/frontend/Parser.cpp:3040
#16 0x0000555555f74493 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunctionForFunctionBox (this=this@entry=0x7ffff5cff418, funNode=<optimized out>, funNode@entry=0x7ffff4cd3090, outerpc=outerpc@entry=0x7ffff5cfe6d0, funbox=funbox@entry=0x7ffff4cd30d0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, newDirectives=0x7ffff5cfd5e8) at js/src/frontend/Parser.cpp:2787
#17 0x0000555555f745fb in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunction (this=this@entry=0x7ffff5cff418, funNode=0x7ffff4cd3090, outerpc=0x7ffff5cfe6d0, fun=fun@entry=..., toStringStart=toStringStart@entry=9, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff5cfd5e8) at js/src/frontend/Parser.cpp:2821
#18 0x0000555555f6298c in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (this=this@entry=0x7ffff5cff418, funNode=funNode@entry=0x7ffff5cfd5d8, fun=..., toStringStart=toStringStart@entry=9, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false, inheritedDirectives=..., newDirectives=0x7ffff5cfd5e8) at js/src/frontend/Parser.cpp:2731
#19 0x0000555555f62dd4 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction (newDirectives=0x7ffff5cfd5e8, inheritedDirectives=..., tryAnnexB=<optimized out>, asyncKind=js::FunctionAsyncKind::SyncFunction, generatorKind=js::GeneratorKind::NotGenerator, kind=js::frontend::FunctionSyntaxKind::Expression, yieldHandling=js::frontend::YieldIsName, inHandling=js::frontend::InAllowed, toStringStart=9, fun=..., funNode=0x7ffff5cfd5d8, this=0x7ffff5cff418) at js/src/frontend/Parser.cpp:2767
#20 js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition (this=this@entry=0x7ffff5cff418, funNode=<optimized out>, toStringStart=toStringStart@entry=9, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=js::frontend::FunctionSyntaxKind::Expression, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::FunctionAsyncKind::SyncFunction, tryAnnexB=false) at js/src/frontend/Parser.cpp:2622
#21 0x0000555555f6386a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionExpr (this=this@entry=0x7ffff5cff418, toStringStart=9, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked, asyncKind=asyncKind@entry=js::FunctionAsyncKind::SyncFunction) at js/src/frontend/Parser.cpp:3262
#22 0x0000555555f6a19e in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::primaryExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=<optimized out>, possibleError=possibleError@entry=0x7ffff5cfdbe0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:10380
#23 0x0000555555f6a58a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, tt=<optimized out>, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x7ffff5cfdbe0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8976
#24 0x0000555555f6b5e3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfdbe0, invoked=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8767
#25 0x0000555555f6b923 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::orExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfdbe0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8182
#26 0x0000555555f6bdee in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::condExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfdbe0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8260
#27 0x0000555555f63c4b in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::assignExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8409
#28 0x0000555555f647da in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::expr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=invoked@entry=js::frontend::ParserBase::PredictInvoked) at js/src/frontend/Parser.cpp:8036
#29 0x0000555555f6583f in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::exprInParens (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotAllowed, possibleError=possibleError@entry=0x7ffff5cfe1c0) at js/src/frontend/Parser.cpp:10568
#30 0x0000555555f6a107 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::primaryExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=<optimized out>, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:10420
#31 0x0000555555f6a58a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, tt=<optimized out>, allowCallSyntax=allowCallSyntax@entry=true, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8976
#32 0x0000555555f6b5e3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8767
#33 0x0000555555f6b923 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::orExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8182
#34 0x0000555555f6bdee in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::condExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x7ffff5cfe1c0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8260
#35 0x0000555555f63c4b in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::assignExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8409
#36 0x0000555555f6425f in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::assignExpr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8565
#37 0x0000555555f647da in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::expr (this=this@entry=0x7ffff5cff418, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, tripledotHandling=tripledotHandling@entry=js::frontend::TripledotProhibited, possibleError=possibleError@entry=0x0, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:8036
#38 0x0000555555f655bb in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::expressionStatement (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, invoked=invoked@entry=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:5510
#39 0x0000555555f6ea8d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7925
#40 0x0000555555f6f85d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList (this=this@entry=0x7ffff5cff418, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3475
#41 0x0000555555f7312a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::globalBody (this=0x7ffff5cff418, globalsc=globalsc@entry=0x7ffff5cffb60) at js/src/frontend/Parser.cpp:1446
#42 0x0000555555fa762a in js::frontend::ScriptCompiler<char16_t>::compileScript (this=this@entry=0x7ffff5cfeec0, info=..., environment=..., environment@entry=..., sc=sc@entry=0x7ffff5cffb60) at js/src/frontend/BytecodeCompiler.cpp:531
#43 0x0000555555f9a664 in CreateGlobalScript<char16_t> (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x7ffff5cffa50) at js/src/frontend/BytecodeCompiler.cpp:208
#44 0x0000555555f9a80a in js::frontend::CompileGlobalScript (info=..., srcBuf=..., sourceObjectOut=sourceObjectOut@entry=0x7ffff5cffa50) at js/src/frontend/BytecodeCompiler.cpp:220
#45 0x0000555555b40f28 in ScriptParseTask<char16_t>::parse (this=0x7ffff5f7a580, cx=<optimized out>) at js/src/vm/HelperThreads.cpp:549
#46 0x0000555555b16505 in js::ParseTask::runTask (this=0x7ffff5f7a580) at js/src/vm/HelperThreads.cpp:513
[...]
#53 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x555557e18180 93825034977664
rbx 0x7ffff5cfa4c0 140737317414080
rcx 0x7ffff6c1c2dd 140737333281501
rdx 0x555556d2bcd0 93825017232592
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7ffff5cf9150 140737317409104
rsp 0x7ffff5cf9150 140737317409104
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff5d01700 140737317443328
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7ffff5cf91b0 140737317409200
r13 0x1 1
r14 0x7ffff5cf9220 140737317409312
r15 0x7ffff4df2c08 140737301654536
rip 0x5555564d0a59 <js::wasm::CallSiteDesc::CallSiteDesc(unsigned int, js::wasm::CallSiteDesc::Kind)+169>
=> 0x5555564d0a59 <js::wasm::CallSiteDesc::CallSiteDesc(unsigned int, js::wasm::CallSiteDesc::Kind)+169>: movl $0x0,0x0
0x5555564d0a64 <js::wasm::CallSiteDesc::CallSiteDesc(unsigned int, js::wasm::CallSiteDesc::Kind)+180>: ud2
This might be a shell-only problem with evaluate.
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0ad1cee5c7d8
user: Luke Wagner
date: Thu Jan 28 11:20:13 2016 -0600
summary: Bug 1243633 - Odin: switch to lineOrBytecode from line/column (r=bbouvier)
Luke/Benjamin, is bug 1243633 a likely regressor?
Type: -- → defect
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
Regressed by: 1243633
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
Assignee | |
Comment 2•6 years ago
|
||
This is due to an implementation detail of the IonMonkey backend, which stores
call sites bytecode numbers on 29 bits, for packing purposes. The wasm baseline
compiler doesn't have this issue because it stores them on 32 bits. Check it to
avoid an easy browser DOS.
|
|
Assignee | |
Comment 3•6 years ago
|
||
I've made a patch that checks these offsets, since it's an easy to DOS the browser. Discuss.
Flags: needinfo?(luke)
Flags: needinfo?(bbouvier)
|
||
Updated•6 years ago
|
Assignee: nobody → bbouvier
status-firefox68:
--- → wontfix
status-firefox70:
--- → fix-optional
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → wontfix
|
||
Updated•6 years ago
|
Attachment #9077643 -
Attachment description: Bug 1565301: Check bytecode offsets when decoding wasm calls; r?luke → Bug 1565301: Disallow too large line numbers for asm.js; r=luke
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/11a9758d17c3
Disallow too large line numbers for asm.js; r=luke
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
|
||
Comment 8•6 years ago
|
||
Is there a user impact which justifies Beta uplift consideration here or can this ride the trains?
Flags: needinfo?(bbouvier)
Flags: in-testsuite+
|
|
Assignee | |
Comment 9•6 years ago
|
||
My understanding is that this will just show incorrect line numbers in error traces, in production builds, for asm.js scripts which first line start at 2**28, so it's fine to let it ride the trains.
Flags: needinfo?(bbouvier)
|
|
||
Updated•6 years ago
|
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•