Crash [@ js::wasm::Instance::structNew(js::wasm::Instance*, void*)]
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox94 | --- | unaffected |
| firefox95 | --- | unaffected |
| firefox96 | --- | fixed |
People
(Reporter: decoder, Assigned: rhunt)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect])
Crash Data
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20211123-71332992f78f (debug build, run with --fuzzing-safe --ion-offthread-compile=off --wasm-function-references --wasm-gc):
function processWat(c) {
binary = wasmTextToBinary(c)
d = new WebAssembly.Module(binary)
return new WebAssembly.Instance(d)
}
gczeal(14,10)
let { createA } = processWat(`
(module (type $a (struct))
(global $e (rtt $a) rtt.canon $a)
(func
(export "createA")
(result eqref)
global.get $e
struct.new_with_rtt $a
))
`).exports;
createA();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555557ce2e8a in js::wasm::Instance::structNew(js::wasm::Instance*, void*) ()
#1 0x0000254410abb613 in ?? ()
[...]
#10 0x0000000000000000 in ?? ()
rax 0x33a828900000 56797328048128
rbx 0x33a828975000 56797328527360
rcx 0x7fffffffbe01 140737488338433
rdx 0x1 1
rsi 0x33a828975078 56797328527480
rdi 0x7ffff6047200 140737320874496
rbp 0x7fffffffb950 140737488337232
rsp 0x7fffffffb920 140737488337184
r8 0xffffd55555908c78 -46912492237704
r9 0xffffd55555908c68 -46912492237720
r10 0x7fffffffbad0 140737488337616
r11 0x7ffff6071670 140737321047664
r12 0x7fffffffb9d8 140737488337368
r13 0x7ffff4a8a0a8 140737298079912
r14 0x7ffff6071670 140737321047664
r15 0x0 0
rip 0x555557ce2e8a <js::wasm::Instance::structNew(js::wasm::Instance*, void*)+122>
=> 0x555557ce2e8a <_ZN2js4wasm8Instance9structNewEPS1_Pv+122>: cmpq $0x0,0x8(%rbx)
0x555557ce2e8f <_ZN2js4wasm8Instance9structNewEPS1_Pv+127>: je 0x555557ce2ee2 <_ZN2js4wasm8Instance9structNewEPS1_Pv+210>
This requires wasm struct types to be enabled, which is pref'ed off right now.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1742576 using build mozilla-central 20211123094249-71332992f78f. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
Assignee | |
Comment 4•2 years ago
|
||
This line needs an assertion for why we can skip a barrier.
|
|
Assignee | |
Comment 5•2 years ago
|
||
Currently ValType::isReference checks if the type is a wasm ref type. This
does not include rtt types, as those are just plain value types. However
both ref types and rtt types are represented at runtime as references.
Some checks using isReference want to detect ref-types, while some want
to check for the runtime representation. This commit splits isReference
into isRef and isRefRepr for detecting these two different conditions.
Code is updated to use the appropriate condition.
Depends on D132085
|
|
Assignee | |
Comment 6•2 years ago
|
||
This is not security sensitive as the issue is only in wasm-GC code which is disabled by default.
|
||
Comment 7•2 years ago
•
|
||
wasm: Assert that RttValue is always tenured. r=lth
https://hg.mozilla.org/integration/autoland/rev/108fde18544da38b639a6f6b87f6b153e91dbd4e
https://hg.mozilla.org/mozilla-central/rev/108fde18544d
wasm: Clean up uses of ValType::isReference. r=lth
https://hg.mozilla.org/integration/autoland/rev/1bd358cc66d94c648d88aa2f22dd2e88e5d22f12
https://hg.mozilla.org/mozilla-central/rev/1bd358cc66d9
|
||
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
:rhunt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•