Closed Bug 1747704 Opened 2 years ago Closed 2 years ago

Differential output between ion/baseline with WebAssembly exception handling

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox95 --- unaffected
firefox96 --- unaffected
firefox97 --- fixed

People

(Reporter: decoder, Assigned: rhunt)

References

(Regression)

Details

(Keywords: regression, testcase)

Attachments

(3 files)

Detailed Crash Information
41 bytes, text/plain
Details
Testcase
708 bytes, text/plain
Details
Bug 1747704 - wasm: Mark runtime errors generated in instance methods as traps. r?lth
48 bytes, text/x-phabricator-request
Details | Review

The attached testcase shows differential behavior on mozilla-central revision 20211223-bd494168b95a (opt build):

Run with --no-threads --wasm-compiler=ion --wasm-exceptions:

    //RuntimeError: table index out of bounds

Run with --no-threads --wasm-compiler=baseline --wasm-exceptions:

    0,0,0

Found by our wasm-smith differential testing target. Marking s-s until investigated.

Attached file Testcase 

    
    

    
  
To Ryan for further triage.


Assignee: nobody → rhunt
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P1

    
    

    
  


  
We already mark runtime errors that are generated using the HandleTrap/signal

handler mechanism as 'traps'. We need to extend this to errors reported by

instance methods.



    
    

    
  
The root cause here is that instance calls are used to implement certain wasm instructions that may trap, but the instance call mechanism doesn't mark these WA.RuntimeError's as traps the way that the signal handler mechanism does. The differential execution comes down to the fact that the try notes for baseline are 1:1 with a whole try block, while Ion generates try notes for each wasm call inside of a try body (and not for instance calls, as they are assumed to only be able to throw non-catchable exceptions).


So we are generating exceptions that should not be catchable by wasm, but are not marked as such yet. And baseline can catch these exceptions because its try notes can cover instance calls, while Ion try notes will not because they are under the assumption that no catchable error should be thrown by instance calls.


This is not security sensitive because this is only trigger-able via pref'ed off code, and is only correctness based anyways.



    
  
Group: javascript-core-security

          status-firefox97:
          affecteddisabled

    
    

    
  
Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/d6d4681c1280
wasm: Mark runtime errors generated in instance methods as traps. r=lth

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d6d4681c1280


Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

    
  
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: