Assertion failure: masm.currentOffset() == uint32_t(L.offset()), at wasm/WasmBaselineCompile.cpp:654
Categories
(Core :: JavaScript: WebAssembly, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | wontfix |
firefox102 | --- | wontfix |
firefox103 | --- | wontfix |
firefox104 | --- | verified |
People
(Reporter: decoder, Assigned: rhunt)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220701-1f99e4a51135 (debug build, run with --fuzzing-safe --no-threads --fast-warmup):
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal({newCompartment: true});
var dbg = new dbgGlobal.Debugger();
dbg.addDebuggee(global);
})(this);
function wasmEvalText(str, imports, options) {
let binary = wasmTextToBinary(str);
m = new WebAssembly.Module(binary, options);
}
var g15 = newGlobal({newCompartment: true});
function test(type, provocation) {
oomTest(() => {
wasmEvalText(`
(import "" "" (func $d))
(func try call $d end)
`);
});
}
test("call", g15.f34);
test("call", function () { return new g15.f34; });
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x0000555557c5970e in js::wasm::BaseCompiler::insertBreakablePoint(js::wasm::CallSiteDesc::Kind) ()
#0 0x0000555557c5970e in js::wasm::BaseCompiler::insertBreakablePoint(js::wasm::CallSiteDesc::Kind) ()
#1 0x0000555557c59a16 in js::wasm::BaseCompiler::endFunction() ()
#2 0x0000555557cb321f in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#3 0x0000555557d35d6c in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4 0x0000555557d370fa in js::wasm::ModuleGenerator::finishFuncDefs() ()
#5 0x0000555557d168e0 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
#6 0x0000555557d16507 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
#7 0x0000555557d7cd2a in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
#8 0x0000132c34d2fa1e in ?? ()
[...]
#13 0x0000000000000000 in ?? ()
rax 0x55555576d5d6 93824994432470
rbx 0x7 7
rcx 0x555558232498 93825039279256
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffff88d0 140737488324816
rsp 0x7fffffff8890 140737488324752
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffff8ac8 140737488325320
r13 0x16e 366
r14 0x555555897c70 93824995654768
r15 0x7fffffff9510 140737488327952
rip 0x555557c5970e <js::wasm::BaseCompiler::insertBreakablePoint(js::wasm::CallSiteDesc::Kind)+558>
=> 0x555557c5970e <_ZN2js4wasm12BaseCompiler20insertBreakablePointENS0_12CallSiteDesc4KindE+558>: movl $0x28e,0x0
0x555557c59719 <_ZN2js4wasm12BaseCompiler20insertBreakablePointENS0_12CallSiteDesc4KindE+569>: callq 0x555556bfc268 <abort>
Marking this s-s because the assert sounds potentially dangerous.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220703213709-c285f5ebde4b.
The bug appears to have been introduced in the following build range:
Start: d209d5f4d95ec0edc0bdcd42ff212edcd9b5ef1f (20220318072318)
End: 10a616ca8ab2ed849eb919cd4e1feee7888b2774 (20220318075834)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d209d5f4d95ec0edc0bdcd42ff212edcd9b5ef1f&tochange=10a616ca8ab2ed849eb919cd4e1feee7888b2774
Comment 4•2 years ago
|
||
Setting regressed_by field after analyzing regression range found by bugmon.
Comment 5•2 years ago
|
||
Set release status flags based on info from the regressing bug 1756951
Assignee | ||
Comment 7•2 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #6)
This might need a
!masm.oom()
guard similar to here.
Yes, that was it. I don't believe this is security sensitive, as we should just discard this compilation if we've OOM'ed.
Assignee | ||
Comment 8•2 years ago
|
||
This assert is not meaningful if we've OOM'ed. This follows the pattern
used in GenerateCallablePrologue (and elsewhere).
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Pushed by rhunt@eqrion.net: https://hg.mozilla.org/integration/autoland/rev/4bf18b078b7e wasm: Check masm.oom() before reading currentOffset(). r=jandem
Comment 10•2 years ago
|
||
bugherder |
Comment 11•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220709093714-9f44cd8576a6.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:rhunt, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox103
towontfix
.
For more information, please visit auto_nag documentation.
Updated•2 years ago
|
Assignee | ||
Comment 13•2 years ago
|
||
No, it's just a debug assertion and the failure will be handled correctly elsewhere.
Updated•2 years ago
|
Description
•