Crash [@ WasmFunctionCreate] or Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at dist/include/mozilla/RefPtr.h:315
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | disabled |
| firefox94 | --- | verified |
People
(Reporter: decoder, Assigned: Ms2ger)
References
(Regression)
Details
(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20210906-1b49e7328ae4 (opt build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments --wasm-compiler=optimized):
a = newGlobal();
a.top = this;
a.eval("var dbg = new Debugger(top)");
new WebAssembly.Function({
parameters: [],
results: []
}, b => b);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555555a6b630 in WasmFunctionCreate(JSContext*, JS::Handle<JSFunction*>, mozilla::Vector<js::wasm::PackedType<js::wasm::ValTypeTraits>, 16ul, js::SystemAllocPolicy>&&, mozilla::Vector<js::wasm::PackedType<js::wasm::ValTypeTraits>, 16ul, js::SystemAllocPolicy>&&, JS::Handle<JSObject*>) ()
#1 0x0000555555a6c40d in WasmFunctionConstruct(JSContext*, unsigned int, JS::Value*) ()
#2 0x0000555555c76984 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) ()
[...]
#8 0x0000555556010e13 in main ()
rax 0x0 0
rbx 0x0 0
rcx 0x3 3
rdx 0x7ffff6c00ca0 140737333169312
rsi 0x0 0
rdi 0x7ffff6c00ca0 140737333169312
rbp 0x7fffffffc090 140737488339088
rsp 0x7fffffffaf00 140737488334592
r8 0x0 0
r9 0x7ffff4dc6c80 140737301474432
r10 0x13 19
r11 0x7ffff4dc6c00 140737301474304
r12 0x7ffff6018000 140737320681472
r13 0x7fffffffc180 140737488339328
r14 0x7fffffffaff0 140737488334832
r15 0x7fffffffc218 140737488339480
rip 0x555555a6b630 <WasmFunctionCreate(JSContext*, JS::Handle<JSFunction*>, mozilla::Vector<js::wasm::PackedType<js::wasm::ValTypeTraits>, 16ul, js::SystemAllocPolicy>&&, mozilla::Vector<js::wasm::PackedType<js::wasm::ValTypeTraits>, 16ul, js::SystemAllocPolicy>&&, JS::Handle<JSObject*>)+144>
=> 0x555555a6b630 <_Z18WasmFunctionCreateP9JSContextN2JS6HandleIP10JSFunctionEEON7mozilla6VectorIN2js4wasm10PackedTypeINS9_13ValTypeTraitsEEELm16ENS8_17SystemAllocPolicyEEESF_NS2_IP8JSObjectEE+144>: mov 0x28(%rax),%rcx
0x555555a6b634 <_Z18WasmFunctionCreateP9JSContextN2JS6HandleIP10JSFunctionEEON7mozilla6VectorIN2js4wasm10PackedTypeINS9_13ValTypeTraitsEEELm16ENS8_17SystemAllocPolicyEEESF_NS2_IP8JSObjectEE+148>: mov 0x30(%rax),%rax
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
NPE in WebAssembly.Function
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 4•3 years ago
|
||
I'm not fully available today, but trying to take a look
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210906131454-688786b894d8.
Failed to bisect testcase (Unable to launch the start build!):
Start: ca131344e7fcf46f50e09bea63141d2578f18b7b (20200907214307)
End: 1b49e7328ae43c6565d167f4c391430575097fd3 (20210906031657)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f655a49fb58f Add missing null check in WasmFunctionCreate; r=lth
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210907214756-2bd46b2573e6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Comment 10•3 years ago
|
||
That looks like a safe potential uplift, do you want to request an uplift to 93 beta? Thanks
|
|
Assignee | |
Comment 11•3 years ago
|
||
I could, but this code is behind a compile flag (--enable-wasm-type-reflections) that's off by default outside nightly. Let me know if I should.
|
|
||
Comment 12•3 years ago
|
||
(In reply to :Ms2ger (he/him; ⌚ UTC+1/+2) from comment #11)
I could, but this code is behind a compile flag (
--enable-wasm-type-reflections) that's off by default outside nightly. Let me know if I should.
Thanks for the extra context, if this is behind a nightly-only compile flag, then no need to uplift indeed.
|
||
Updated•3 years ago
|
Description
•