1742584 - Assertion failure: js::gc::IsCellPointerValid(&obj), a js/Value.h:490 with wasmGlobalFromArrayBuffer

Status: VERIFIED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20211123-71332992f78f (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-warmup-threshold=1):

function a(b) {
  c = new Uint16Array(b);
  wasmGlobalFromArrayBuffer('v128', c.buffer);
}
oomTest(() => a([,,,,,,, 0]));

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556ad3238 in js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject(JSObject&) ()
#1  0x00005555571a5031 in WasmGlobalFromArrayBuffer(JSContext*, unsigned int, JS::Value*) ()
#2  0x00003e70a2331fcf in ?? ()
[...]
#5  0x0000000000000000 in ?? ()
rax	0x555555712b90	93824994061200
rbx	0x7fffffffb400	140737488335872
rcx	0x5555581a5020	93825038700576
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb3e0	140737488335840
rsp	0x7fffffffb3c0	140737488335808
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb440	140737488335936
r13	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r14	0x7fffffffb510	140737488336144
r15	0x7fffffffb420	140737488335904
rip	0x555556ad3238 <js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject(JSObject&)+200>
=> 0x555556ad3238 <_ZN2js27MutableWrappedPtrOperationsIN2JS5ValueENS1_13MutableHandleIS2_EEE9setObjectER8JSObject+200>:	movl   $0x1ea,0x0
   0x555556ad3243 <_ZN2js27MutableWrappedPtrOperationsIN2JS5ValueENS1_13MutableHandleIS2_EEE9setObjectER8JSObject+211>:	callq  0x555556b5a76b <abort>

This might be a problem with the wasmGlobalFromArrayBuffer function, but marking s-s until investigated.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Lars T Hansen [:lth]]

Devious! Giving this to Yury, as I'm busy right now, though it's likely my fault.

Comment 4

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211123094249-71332992f78f.
The bug appears to have been introduced in the following build range:

Start: b9efd1c99ba7f8af4965f64589014c1dba34c636 (20210511060843)
End: ab1fc35f9ba6b6a59a3ede09b810150d43eeb55b (20210511062430)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b9efd1c99ba7f8af4965f64589014c1dba34c636&tochange=ab1fc35f9ba6b6a59a3ede09b810150d43eeb55b

Comment 5

[Andrew McCreight [:mccr8]]

Marking the regression based on comment 4.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1710075

Comment 7

[Lars T Hansen [:lth]]

Missing null checks in wasmGlobalFromArrayBuffer, not s-s.

Comment 8

[Lars T Hansen [:lth]]

Attachment: Bug 1742584 - Add null checks. r?yury

Comment 9

[Lars T Hansen [:lth]]

Not a regression, bug has been in code since day 1.

Comment 10

[Pulsebot]

Pushed by lhansen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bd6702a2a4b1
Add null checks.  r=yury

Comment 11

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/bd6702a2a4b1

Comment 12

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211130042247-58d2fbdb6b4a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.