Closed Bug 1681864 Opened 5 years ago Closed 5 years ago

Assertion failure during Wasm exception object initialization

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox83 --- unaffected
firefox84 --- unaffected
firefox85 --- disabled
firefox86 --- fixed

People

(Reporter: asumu, Assigned: asumu)

Details

(Keywords: assertion, crash)

Attachments

(2 files)

0001-Crashing-test-case-for-event-type-export.patch
1.33 KB, patch
Details | Diff | Splinter Review
Bug 1681864 - Fix Wasm EventDesc type representation.
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0

Steps to reproduce:

The attached patch contains a test case for the import-export.js jit-test for Wasm exceptions that triggers a crash due to an assertion failure.

Actual results:

There's a crash because the exception object instantiation needs the EventDesc type, but this access is outside the lifetime of the ValTypeVector pointer that's stored in the type.

Keywords: assertion, crash
Version: Firefox 85 → unspecified

Revise the type representation of exception argument types
in EventDesc. This avoids the ValTypeVector pointer in ResultType
from being used out of its lifetime in instantiating event
exports from Wasm modules.

Assignee: nobody → asumu

I've attached a possible patch for fixing this, which uses a representation from an old version of https://phabricator.services.mozilla.com/D96681. It avoids the pointer lifetime issue by keeping a copying the FuncType args in the EventDesc instead of keeping the pointer.

I couldn't think of a good way to fix this while keeping the ResultType representation, but if anyone has suggestions for that I would be happy to revise the patch too.

Pushed by cbrindusan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f06ed1eef17d Fix Wasm EventDesc type representation. r=rhunt

https://hg.mozilla.org/mozilla-central/rev/f06ed1eef17d

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

The patch landed in nightly and beta is affected.
:asumu, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(asumu)

What is this status_beta field of which you speak?

As I understand it, this experimental code is nightly-only and additionally behind a flag. Beta should not be affected.

status-firefox85: affecteddisabled
Flags: needinfo?(asumu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: