Assertion failure: tryNote.end > tryNote.begin, at wasm/WasmGenerator.cpp:1000
Categories
(Core :: JavaScript: WebAssembly, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | wontfix |
| firefox102 | --- | verified |
People
(Reporter: decoder, Assigned: rhunt)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect][bugmon:bisected,confirmed])
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 20220429-a3002a9b4204 (build with fuzzing-debug, run with --no-threads --fuzzing-safe --ion-warmup-threshold=0 --disable-oom-functions --wasm-compiler=optimized test.js).
Backtrace:
Assertion failure: tryNote.end > tryNote.begin, at wasm/WasmGenerator.cpp:1000
==10361==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55f415ca10d3 bp 0x7ffe563b4b50 sp 0x7ffe563b4b10 T10361)
#0 0x55f415ca10d3 in js::wasm::ModuleGenerator::finishMetadataTier() wasm/WasmGenerator.cpp:1000:5
#1 0x55f415ca2a90 in js::wasm::ModuleGenerator::finishCodeTier() wasm/WasmGenerator.cpp:1059:8
#2 0x55f415ca47ef in js::wasm::ModuleGenerator::finishModule(js::wasm::ShareableBytes const&, JS::OptimizedEncodingListener*) wasm/WasmGenerator.cpp:1148:29
#3 0x55f415c6a76d in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) wasm/WasmCompile.cpp:739:13
#4 0x55f415d060d0 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) wasm/WasmJS.cpp:1815:7
[...]
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 3•3 years ago
|
||
This can happen due to dead code elimination removing a MWasmCall so that a try note is left with default values. This is harmless (except for this assert) as the default range is empty (begin == end) and will never be selected as the try note to jump to.
We should still fix this to remove these entries, but it's not security sensitive.
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Comment 5•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220503155751-0b6f31f3ce0b.
The bug appears to have been introduced in the following build range:
Start: 93a25ec951a91b6d6f1b9d5d631d4fa2dac94e26 (20220411232555)
End: 53b0297b7573943417a24c28931ea8e1aff839ac (20220412012705)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=93a25ec951a91b6d6f1b9d5d631d4fa2dac94e26&tochange=53b0297b7573943417a24c28931ea8e1aff839ac
|
||
Comment 6•3 years ago
|
||
Set release status flags based on info from the regressing bug 1752606
|
|
||
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
Hi Ryan, is there a real-world user impact to this bug which would make us want to leave it on the radar for 101?
|
|
Assignee | |
Comment 8•3 years ago
|
||
No, this debug assert will not lead to a correctness or security issue in release. The attached patch reworks this code so that we don't trip this assert.
|
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
|
|
||
Comment 11•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220524093649-a8d14b452547.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•