1843295 - [WASM-GC] Failure to serialize/deserialize type subtype declaration

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[xiangwei1895]

Steps to reproduce:

gecko-dev version

a3852ea8db25c759bc8b108aeec870d66c95452c

Build args

../configure --disable-jemalloc --enable-debug --enable-optimize --disable-shared-js

Testcase and Execution steps

var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,156,128,128,128,0,5,80,0,95,0,80,0,94,127,1,80,1,1,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,3,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,148,128,128,128,0,1,18,0,67,122,151,88,222,168,65,189,127,118,65,195,208,0,110,103,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();

./out/dist/bin/js --wasm-function-references --wasm-test-serialization --wasm-gc ./testcase.js

Actual results:

Output

Segmentation fault

Backtrace

#0 js::wasm::TypeDef::subTypingDepth (this=0x0)
at /home/gecko-dev/js/src/wasm/WasmTypeDef.h:691
#1 js::wasm::SuperTypeVector::createMultipleForRecGroup (recGroup=0x555559bd9580)
at /home/gecko-dev/js/src/wasm/WasmTypeDef.cpp:437
#2 0x0000555558c85b29 in js::wasm::RecGroup::finalizeDefinitions (
this=0x555559bd9580) at /home/gecko-dev/js/src/wasm/WasmTypeDef.h:952
#3 js::wasm::TypeContext::endRecGroup (this=0x555559bd94d0)
at /home/gecko-dev/js/src/wasm/WasmTypeDef.h:1164
#4 0x0000555558ea755e in js::wasm::CodeTypeContext<(js::wasm::CoderMode)2> (
coder=..., item=item@entry=0x555559bd94d0)
at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:611
#5 0x0000555558ea72ec in js::wasm::CodeRefPtr<(js::wasm::CoderMode)2, js::wasm::TypeContext const, &js::wasm::CodeTypeContext<(js::wasm::CoderMode)2> > (coder=...,
item=item@entry=0x555559bd9350)
at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:312
#6 0x0000555558e79609 in js::wasm::CodeMetadata<(js::wasm::CoderMode)2> (
coder=..., item=item@entry=0x555559bd9310)
at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:965
#7 0x0000555558e79489 in js::wasm::CodeRefPtr<(js::wasm::CoderMode)2, js::wasm::Metadata, &js::wasm::CodeMetadata<(js::wasm::CoderMode)2> > (coder=...,
item=item@entry=0x7fffffffa180)
at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:312
#8 0x0000555558e787b2 in js::wasm::CodeSharedCode (coder=...,
item=item@entry=0x7fffffffa1f0, linkData=..., customSections=...)
at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1023
#9 0x0000555558e79d49 in js::wasm::CodeModule (coder=...,
--Type <RET> for more, q to quit, c to continue without paging--c
item=item@entry=0x7fffffffc150) at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1113
#10 0x0000555558e7cff2 in js::wasm::Module::deserialize (begin=<optimized out>, size=<optimized out>) at /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1206
#11 0x0000555558d2f874 in js::wasm::ModuleGenerator::finishModule (this=0x7fffffffc338, bytecode=..., maybeTier2Listener=0x0) at /home/gecko-dev/js/src/wasm/WasmGenerator.cpp:1199
#12 0x0000555558cf5fd6 in js::wasm::CompileBuffer (args=..., bytecode=..., error=error@entry=0x7fffffffd338, warnings=warnings@entry=0x7fffffffd368, listener=0x7, listener@entry=0x0) at /home/gecko-dev/js/src/wasm/WasmCompile.cpp:736
#13 0x0000555558da0c0b in js::WasmModuleObject::construct (cx=cx@entry=0x555559a77b30, argc=<optimized out>, vp=<optimized out>) at /home/gecko-dev/js/src/wasm/WasmJS.cpp:1731
#14 0x0000555556f01b7d in CallJSNative (cx=cx@entry=0x555559a77b30, native=native@entry=0x555558da0960 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:486
#15 0x0000555556f4603b in CallJSNativeConstructor (cx=cx@entry=0x555559a77b30, native=0x555558da0960 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:502
#16 0x0000555556f04058 in InternalConstruct (cx=<optimized out>, cx@entry=0x555559a77b30, args=..., reason=reason@entry=js::CallReason::Call) at /home/gecko-dev/js/src/vm/Interpreter.cpp:708
#17 0x0000555556f1a824 in js::ConstructFromStack (cx=0x555559a77b30, args=..., reason=<optimized out>) at /home/gecko-dev/js/src/vm/Interpreter.cpp:755
#18 js::Interpret (cx=cx@entry=0x555559a77b30, state=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:3380
#19 0x0000555556effc24 in MaybeEnterInterpreterTrampoline (cx=cx@entry=0x555559a77b30, state=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:400
#20 0x0000555556eff8a1 in js::RunScript (cx=0x555559a77b30, state=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:458
#21 0x0000555556f0570b in js::ExecuteKernel (cx=0x1, cx@entry=0x555559a77b30, script=script@entry=..., envChainArg=envChainArg@entry=..., evalInFrame=..., evalInFrame@entry=..., result=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:845
#22 0x0000555556f060a0 in js::Execute (cx=cx@entry=0x555559a77b30, script=..., envChain=..., rval=..., rval@entry=...) at /home/gecko-dev/js/src/vm/Interpreter.cpp:877
#23 0x000055555713a13a in ExecuteScript (cx=cx@entry=0x555559a77b30, envChain=..., script=..., rval=rval@entry=...) at /home/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:493
#24 0x000055555713a416 in JS_ExecuteScript (cx=cx@entry=0x555559a77b30, scriptArg=scriptArg@entry=...) at /home/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:517
#25 0x0000555556e0a164 in RunFile (cx=cx@entry=0x555559a77b30, filename=0x555559b96ad0 "/data/fuzzout/WASM/SM_0712/sm_1/crashes/id:000116,sig:11,src:001603,time:79690180,execs:1918052,op:MOpt_core_havoc,rep:8", filename@entry=0x555559b0f2a0 "\230$\255\373PU", file=file@entry=0x555559b0f2a0, compileMethod=compileMethod@entry=CompileUtf8::DontInflate, compileOnly=false, fullParse=false) at /home/gecko-dev/js/src/shell/js.cpp:1105
#26 0x0000555556e08990 in Process (cx=cx@entry=0x555559a77b30, filename=<optimized out>, forceTTY=<optimized out>, kind=kind@entry=FileScript) at /home/gecko-dev/js/src/shell/js.cpp:1685
#27 0x0000555556d59cf4 in ProcessArgs (cx=0x555559a77b30, op=0x7fffffffe2e8) at /home/gecko-dev/js/src/shell/js.cpp:10747
#28 Shell (cx=0x555559a77b30, op=op@entry=0x7fffffffe2e8) at /home/gecko-dev/js/src/shell/js.cpp:10971
#29 0x0000555556d4fc47 in main (argc=<optimized out>, argv=<optimized out>) at /home/gecko-dev/js/src/shell/js.cpp:11403

Expected results:

Don't crash

Comment 1

[Daniel Veditz [:dveditz]]

Ryan: could you take a look at this reporter's bugs (there are two or three)? They appear to rely on wasm-gc and we're not sure the state of that. And this one is using the serializer.

Comment 2

[Ryan Hunt [:rhunt]]

Attachment: Bug 1843295 - wasm: Properly serialize GC subtype declarations. r?yury

We need to serialize/deserialize the (sub) declaration for GC types.

Comment 3

[Ryan Hunt [:rhunt]]

We're not serializing/deserializing type definitions that use some Wasm-GC extensions correctly. This is disabled everywhere right now.

Comment 4

[Pulsebot]

Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/f77c2fc738fa
wasm: Properly serialize GC subtype declarations. r=yury

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/f77c2fc738fa