1628429 - Assertion failure: results_.length() == 1, at wasm/WasmTypes.h:1058

Status: VERIFIED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20200408-6663d3dc883b (build with --enable-debug, run with --fuzzing-safe --no-threads test.js):

See attachment.

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x00005555567edfc6 in js::wasm::MaybeGetBuiltinThunk(JSFunction*, js::wasm::FuncType const&) ()
#0  0x00005555567edfc6 in js::wasm::MaybeGetBuiltinThunk(JSFunction*, js::wasm::FuncType const&) ()
#1  0x000055555687ae77 in js::wasm::Instance::Instance(...) ()
#2  0x00005555568d3f66 in js::wasm::Instance* js::MallocProvider<JSContext>::new_(...) ()
#3  0x00005555568d3507 in js::WasmInstanceObject::create(...) ()
#4  0x00005555568cbcfe in js::wasm::Module::instantiate(JSContext*, js::wasm::ImportValues&, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) const ()
#5  0x00005555568d466f in js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*) ()
#6  0x0000555555904ef2 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#18 0x000055555578827d in main ()
rax	0x555556fe2389	93825020076937
rbx	0x7ffff5e83560	140737319023968
rcx	0x555557f46850	93825036216400
rdx	0x0	0
rsi	0x7ffff6efd770	140737336301424
rdi	0x7ffff6efc540	140737336296768
rbp	0x7fffffffb440	140737488335936
rsp	0x7fffffffb420	140737488335904
r8	0x7ffff6efd770	140737336301424
r9	0x7ffff7f9bd00	140737353727232
r10	0x58	88
r11	0x7ffff6ba47a0	140737332791200
r12	0x7ffff5e835c0	140737319024064
r13	0x147de0baff00	22530873818880
r14	0x0	0
r15	0x0	0
rip	0x5555567edfc6 <js::wasm::MaybeGetBuiltinThunk(JSFunction*, js::wasm::FuncType const&)+694>
=> 0x5555567edfc6 <_ZN2js4wasm20MaybeGetBuiltinThunkEP10JSFunctionRKNS0_8FuncTypeE+694>:	movl   $0x422,0x0
   0x5555567edfd1 <_ZN2js4wasm20MaybeGetBuiltinThunkEP10JSFunctionRKNS0_8FuncTypeE+705>:	callq  0x555555814706 <abort>

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Andy Wingo [:wingo]]

One-file reproducer:

let bytes = wasmTextToBinary(`
   (module
     (func $f (import "imports" "f") (param i32 i32) (result i32 i32)))`);

new WebAssembly.Instance(new WebAssembly.Module(bytes),
                         { 'imports': { 'f': Uint16Array } });

Comment 3

[Andy Wingo [:wingo]]

An easy fix, will get it tomorrow morning. Thanks!

Comment 4

[Andy Wingo [:wingo]]

Attachment: Bug 1628429 - Remove single-result-type accesor on FuncType and adapt callers

Comment 5

[Pulsebot]

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b3f620eef719
Remove single-result-type accesor on FuncType and adapt callers r=bbouvier

Comment 6

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/b3f620eef719

Comment 7

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
The bug appears to have been fixed in the following build range:
> Start: 280c84604ac05aff9091684f045106fee7268116 (20200410100829)
> End: 82d84da94d8dfcb8bf0cca8d569d8daa9cc9cb73 (20200410213700)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=280c84604ac05aff9091684f045106fee7268116&tochange=82d84da94d8dfcb8bf0cca8d569d8daa9cc9cb73

Comment 8

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.