1845436 - [WASM-GC] Canonical types should use type index of first occurence in module

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[xiangwei1895]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

Steps to reproduce:

Build

../configure --disable-jemalloc --enable-debug --enable-optimize --disable-shared-js --enable-address-sanitizer

Testcase

var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,171,128,128,128,0,7,80,0,95,0,80,0,95,1,125,1,80,0,95,3,107,0,0,101,0,112,0,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,5,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,6,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,138,128,128,128,0,1,8,0,65,235,229,228,173,6,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();

./dist/bin/js --wasm-gc --wasm-test-serialization ./testcase.js

Actual results:

Backtrace

Assertion failure: aIndex < mLength, at /home/gecko-dev/js/src/asan/dist/include/mozilla/Vector.h:591

==26764==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x558e93c65031 bp 0x7ffc34f7f510 sp 0x7ffc34f7f510 T0)
==26764==The signal is caused by a WRITE memory access.
==26764==Hint: address points to the zero page.
    #0 0x558e93c65031 in mozilla::Vector<js::wasm::TypeDef const*, 0ul, js::SystemAllocPolicy>::operator[](unsigned long) const /home/gecko-dev/js/src/asan/dist/include/mozilla/Vector.h:591:5
    #1 0x558e93c65031 in js::wasm::TypeContext::type(unsigned int) const /home/gecko-dev/js/src/wasm/WasmTypeDef.h:1210:55
    #2 0x558e93c65031 in js::wasm::SerializableTypeCode::deserialize(js::wasm::TypeContext const&) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:433:35
    #3 0x558e93c63065 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodePackedTypeCode<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::PackedTypeCode>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:443:17
    #4 0x558e93c63065 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeFieldType<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::PackedType<js::wasm::FieldTypeTraits> >::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:461:10
    #5 0x558e93c63065 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeStructField<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::StructField>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:513:3
    #6 0x558e93c62c91 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeVector<(js::wasm::CoderMode)2, js::wasm::StructField, &(mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeStructField<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::StructField>::T)), 0ul, true>(js::wasm::Coder<(js::wasm::CoderMode)2>&, mozilla::Vector<js::wasm::StructField, 0ul, js::SystemAllocPolicy>*) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:268:5
    #7 0x558e93c61c9d in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeStructType<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::StructType>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:523:3
    #8 0x558e93c61c9d in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeTypeDef<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::TypeDef>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:553:7
    #9 0x558e93c5e46a in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeTypeContext<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::TypeContext>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:607:9
    #10 0x558e93c5dfa5 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeRefPtr<(js::wasm::CoderMode)2, js::wasm::TypeContext const, &(mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeTypeContext<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::TypeContext>::T))>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, RefPtr<js::wasm::TypeContext const> >::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:312:5
    #11 0x558e93c3eae2 in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeMetadata<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::Metadata>::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:965:3
    #12 0x558e93c3e62d in mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeRefPtr<(js::wasm::CoderMode)2, js::wasm::Metadata, &(mozilla::Result<mozilla::Ok, js::wasm::OutOfMemory> js::wasm::CodeMetadata<(js::wasm::CoderMode)2>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, js::wasm::Metadata>::T))>(js::wasm::Coder<(js::wasm::CoderMode)2>&, js::wasm::CoderArgT<(js::wasm::CoderMode)2, RefPtr<js::wasm::Metadata> >::T) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:312:5
    #13 0x558e93c31d4b in js::wasm::CodeSharedCode(js::wasm::Coder<(js::wasm::CoderMode)2>&, RefPtr<js::wasm::Code const>*, js::wasm::LinkData const&, mozilla::Vector<js::wasm::CustomSection, 0ul, js::SystemAllocPolicy> const&) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1023:3
    #14 0x558e93c339c1 in js::wasm::CodeModule(js::wasm::Coder<(js::wasm::CoderMode)2>&, RefPtr<js::wasm::Module>*) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1113:3
    #15 0x558e93c356bc in js::wasm::Module::deserialize(unsigned char const*, unsigned long) /home/gecko-dev/js/src/wasm/WasmSerialize.cpp:1206:24
    #16 0x558e93a0db6e in js::wasm::ModuleGenerator::finishModule(js::wasm::ShareableBytes const&, JS::OptimizedEncodingListener*) /home/gecko-dev/js/src/wasm/WasmGenerator.cpp:1199:9
    #17 0x558e939b33c8 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /home/gecko-dev/js/src/wasm/WasmCompile.cpp:737:13
    #18 0x558e93ac0a6a in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /home/gecko-dev/js/src/wasm/WasmJS.cpp:1455:7
    #19 0x558e907d0b2e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/gecko-dev/js/src/vm/Interpreter.cpp:486:13
    #20 0x558e907e9a05 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/gecko-dev/js/src/vm/Interpreter.cpp:502:8
    #21 0x558e9076f9f5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /home/gecko-dev/js/src/vm/Interpreter.cpp:708:14
    #22 0x558e90796eb7 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/gecko-dev/js/src/vm/Interpreter.cpp:755:10
    #23 0x558e90796eb7 in js::Interpret(JSContext*, js::RunState&) /home/gecko-dev/js/src/vm/Interpreter.cpp:3380:16
    #24 0x558e9076acd9 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) /home/gecko-dev/js/src/vm/Interpreter.cpp:400:10
    #25 0x558e90769e06 in js::RunScript(JSContext*, js::RunState&) /home/gecko-dev/js/src/vm/Interpreter.cpp:458:13
    #26 0x558e907722cb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/gecko-dev/js/src/vm/Interpreter.cpp:845:13
    #27 0x558e90772e0e in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/gecko-dev/js/src/vm/Interpreter.cpp:877:10
    #28 0x558e90b099cb in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:493:10
    #29 0x558e90b09f8a in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:517:10
    #30 0x558e90574281 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/gecko-dev/js/src/shell/js.cpp:1102:10
    #31 0x558e9057241f in Process(JSContext*, char const*, bool, FileKind) /home/gecko-dev/js/src/shell/js.cpp
    #32 0x558e904ccdd5 in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/gecko-dev/js/src/shell/js.cpp:10743:10
    #33 0x558e904ccdd5 in Shell(JSContext*, js::cli::OptionParser*) /home/gecko-dev/js/src/shell/js.cpp:10967:12
    #34 0x558e904c06db in main /home/gecko-dev/js/src/shell/js.cpp:11399:12
    #35 0x7efd58255d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #36 0x7efd58255e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #37 0x558e903ce4f8 in _start (/home/gecko-dev/js/src/asan/dist/bin/js+0x272f4f8) (BuildId: b40f65a3954c2852fb5540c89f389b68)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/gecko-dev/js/src/asan/dist/include/mozilla/Vector.h:591:5 in mozilla::Vector<js::wasm::TypeDef const*, 0ul, js::SystemAllocPolicy>::operator[](unsigned long) const
==26764==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

What version of Firefox did you test? (we don't really care what browser you used to file the bug)

I assume your testing was on Linux like your browser?

Comment 2

[xiangwei1895]

(In reply to Daniel Veditz [:dveditz] from comment #1)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

What version of Firefox did you test? (we don't really care what browser you used to file the bug)

I assume your testing was on Linux like your browser?

I am testing on Ubuntu20.04. The version is https://github.com/mozilla/gecko-dev/commit/b6b8ff043e944a5e32ea63208d3ba7cb6b16191d

Comment 3

[Ryan Hunt [:rhunt]]

Attachment: Bug 1845436 - wasm: Always use the first occuring type index when there is a canonical type. r?yury

Module serialization needs a map from type def pointer to type index. When we have
structurally identical type definitions, we have multiple options of what to use
in the map. Right now we used the last occuring type index in the module. This
caused us to encode type indices while serializing that point to types we haven't
decoded yet, running into errors. This commit changes us to keep the first type
index that we had for the canonical type, to avoid this.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Comment 5

[Pulsebot]

Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/a17737971469
wasm: Always use the first occuring type index when there is a canonical type. r=yury

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/a17737971469