Assertion failure: isSome(), at dist/include/mozilla/Maybe.h:782 with WebAssembly
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | --- | unaffected |
| firefox95 | --- | verified |
People
(Reporter: decoder, Assigned: lth)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect][bugmon:bisected,confirmed])
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 20211019-1e37fc4a7f53 (build with debug, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off test.js).
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557d1a592 in EmitWait((anonymous namespace)::FunctionCompiler&, js::wasm::PackedType<js::wasm::ValTypeTraits>, unsigned int) ()
#1 0x0000555557cd7917 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) ()
#2 0x0000555557ccd2d8 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#3 0x0000555557c9ab33 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4 0x0000555557c9be3a in js::wasm::ModuleGenerator::finishFuncDefs() ()
#5 0x0000555557c78640 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#6 0x0000555557c78268 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#7 0x0000555557ce6eb2 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000555556c2aea1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
#9 0x0000555556c3a265 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ()
[...]
Marking s-s because the assertion guards against use of uninitialized memory.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
(missing testcase)
|
|
Reporter | |
Comment 3•3 years ago
|
||
|
Assignee | |
Comment 4•3 years ago
|
||
A general problem in WasmIonCompile.cpp where a predicate is not guarded properly. I'll assess the impact of this after fixing it but in general it's probably pretty benign.
|
|
Assignee | |
Comment 5•3 years ago
|
||
This is benign and can be opened (see comment on patch). In a release build, there won't be an assert but the opcode will be rejected subsequently and the program will not be run. Even though there may be a wild pointer here, no information will leak and no memory overwrite will occur.
|
|
Reporter | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
The isMem32 predicate assumes that there's a memory present (and this
is the right thing), but sometimes we must call isMem32 before we've
checked for the presence of a memory, this is a consequence of the
structure of the compiler. Introduce a new predicate for these
situations and use it as appropriate.
Only Ion is affected, baseline already has the necessary guard in all
the required situations.
The missing test was an oversight - I introduced tests like these for
the memory instructions previously, but I forgot wait and notify.
|
||
Comment 7•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211019095357-4185629111d3.
The bug appears to have been introduced in the following build range:
Start: e2b5e618de42b6de694ca95e75e9bd442c2ff9ff (20211018093031)
End: 80388e7f335c78b1926f0e5eb258cb881d1f7a1d (20211018100215)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e2b5e618de42b6de694ca95e75e9bd442c2ff9ff&tochange=80388e7f335c78b1926f0e5eb258cb881d1f7a1d
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3f4457072146 Guard isMem32 when we don't yet know if there's a memory. r=jseward
|
||
Comment 9•3 years ago
|
||
:lth, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211021054209-54672b7d3f45.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 12•3 years ago
|
||
Set release status flags based on info from the regressing bug 1727084
Description
•