Closed Bug 1608839 Opened 4 years ago Closed 4 years ago

Assertion failure: baseline || ion || cranelift, at wasm/WasmCompile.cpp:139

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: decoder, Assigned: lth)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Bug 1608839 - Guard against disabling all wasm compilers. r?decoder
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200107-e728bf01a2b6 (build with (buildFlags not available), run with --fuzzing-safe --no-threads):

try {
    let module = new WebAssembly.Module();
} catch (exc) {}
setJitCompilerOption('wasm.baseline', 0);
setJitCompilerOption('wasm.ion', 0);
WebAssembly.instantiate(new Uint8Array(1).buffer);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555567f93dc in js::wasm::CompileArgs::build(JSContext*, js::wasm::ScriptedCaller&&) ()
#0  0x00005555567f93dc in js::wasm::CompileArgs::build(JSContext*, js::wasm::ScriptedCaller&&) ()
#1  0x00005555568e348c in CompileBufferTask::init(JSContext*, char const*) ()
#2  0x00005555568e2723 in WebAssembly_instantiate(JSContext*, unsigned int, JS::Value*) ()
#3  0x00005555558f07b2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#14 0x0000555555772d8a in main ()
rax	0x555556fcd84b	93825019992139
rbx	0x7ffff5e27000	140737318645760
rcx	0x555557f1d838	93825036048440
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffb970	140737488337264
rsp	0x7fffffffb920	140737488337184
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f98d00	140737353714944
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x0	0
r13	0x0	0
r14	0x0	0
r15	0x7fffffffba01	140737488337409
rip	0x5555567f93dc <js::wasm::CompileArgs::build(JSContext*, js::wasm::ScriptedCaller&&)+844>
=> 0x5555567f93dc <_ZN2js4wasm11CompileArgs5buildEP9JSContextONS0_14ScriptedCallerE+844>:	movl   $0x8b,0x0
   0x5555567f93e7 <_ZN2js4wasm11CompileArgs5buildEP9JSContextONS0_14ScriptedCallerE+855>:	callq  0x5555557f7fc2 <abort>

This is a shell-only problem that likely just needs to be fixed in setJitCompilerOption so not all JITs can be turned off for WebAssembly.

Yes, sounds about right.

Assignee: nobody → lhansen

If a script is trying to disable a compiler and that is the last compiler enabled, then throw.

Status: NEW → ASSIGNED
Priority: -- → P3
Pushed by lhansen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/74e4bc39fbb1
Guard against disabling all wasm compilers.  r=decoder

https://hg.mozilla.org/mozilla-central/rev/74e4bc39fbb1

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: