1879238 - [WASM] Segmentation fault: unknown type hierarchy in cast

Reporter

Description

•

1 year ago

Attached file poc0208.2.js — Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Steps to reproduce:

OS : Linux ubuntu 5.11.10 #1 SMP Sat Oct 30 23:40:08 CST 2021 x86_64 x86_64 x86_64 GNU/Linux
Commit : 719b4a8853b449674c018178f85b3667afe4f193
Build :

ac_add_options --enable-project=js
ac_add_options --disable-optimize
ac_add_options --disable-unified-build
ac_add_options --disable-debug
ac_add_options --disable-jemalloc
ac_add_options --disable-tests

Running: ./js --wasm-compiler=baseline --wasm-exnref poc.js

Actual results:

#0  0x0000555558656719 in js::wasm::BaseCompiler::branchIfRefSubtype(js::wasm::RegRef, js::wasm::RefType, js::wasm::RefType, js::jit::Label*, bool)
    (this=0x7fffffff03b8, ref=..., sourceType=..., destType=..., label=0x7fffffff0970, onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8325
#1  0x00005555586561b3 in js::wasm::BaseCompiler::jumpConditionalWithResults(js::wasm::BranchState*, js::wasm::RegRef, js::wasm::RefType, js::wasm::RefType, bool)
    (this=0x7fffffff03b8, b=0x7ffffffed598, object=..., sourceType=..., destType=..., onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:3253
#2  0x0000555558666f8b in js::wasm::BaseCompiler::emitBrOnCastCommon(bool, unsigned int, js::wasm::ResultType const&, js::wasm::RefType, js::wasm::RefType)
    (this=0x7fffffff03b8, onSuccess=0x0, labelRelativeDepth=0x2, labelType=..., sourceType=..., destType=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8392
#3  0x00005555586670e8 in js::wasm::BaseCompiler::emitBrOnCast(bool) (this=0x7fffffff03b8, onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8418
#4  0x0000555558671fe7 in js::wasm::BaseCompiler::emitBody() (this=0x7fffffff03b8) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:10629
#5  0x000055555868872c in js::wasm::BaseCompiler::emitFunction() (this=0x7fffffff03b8)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:11740
#6  0x000055555868a09f in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*)
     (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=0x555559224d40, error=0x7fffffff2808)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:11917
#7  0x0000555558721cd3 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) (task=0x555559224a28, error=0x7fffffff2808)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:735
#8  0x0000555558721dd4 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() (this=0x7fffffff1a10)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:784
#9  0x00005555587225a1 in js::wasm::ModuleGenerator::finishFuncDefs() (this=0x7fffffff1a10) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:915
#10 0x00005555587033d8 in DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&)
    (env=..., d=..., mg=...) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmCompile.cpp:785
#11 0x0000555558703114 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*)
    (args=..., bytecode=..., error=0x7fffffff2808, warnings=0x7fffffff27f0, listener=0x0) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmCompile.cpp:807
#12 0x00005555587b3b65 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) (cx=0x5555591087f0, argc=0x1, vp=0x55555920a698)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmJS.cpp:1494
#13 0x0000555557219eff in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)
    (cx=0x5555591087f0, native=0x5555587b3780 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:480
#14 CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)
    (cx=0x5555591087f0, native=0x5555587b3780 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:496
#15 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) (cx=0x5555591087f0, args=..., reason=js::CallReason::Call)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:702
#16 0x0000555557219881 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) (cx=0x5555591087f0, args=..., reason=js::CallReason::Call)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:749
#17 0x0000555557236661 in js::Interpret(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:3046
#18 0x0000555557217aac in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:394
#19 js::RunScript(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...) at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:452
#20 0x000055555721adf2 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, script=0x176351562060, envChainArg=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], evalInFrame=AbstractFramePtr ((js::InterpreterFrame *) 0x0) = {...}, result=$JS::UndefinedValue()) at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:839
#21 0x000055555721b082 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, script=0x176351562060, envChain=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], rval=$JS::UndefinedValue())
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:871
#22 0x00005555575b8adf in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, envChain=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], script=0x176351562060, rval=$JS::UndefinedValue())
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/CompilationAndEvaluation.cpp:494
#23 0x00005555575b8bd0 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) (cx=0x5555591087f0, scriptArg=0x176351562060)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/CompilationAndEvaluation.cpp:518
#24 0x00005555570f11ae in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool)
    (cx=0x5555591087f0, filename=0x555559209350 "/tmp/crash1.js", file=0x555559209410, compileMethod=CompileUtf8::DontInflate, compileOnly=0x0, fullParse=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:1221
#25 0x00005555570f07f3 in Process(JSContext*, char const*, bool, FileKind)
    (cx=0x5555591087f0, filename=0x555559209350 "/tmp/crash1.js", forceTTY=0x0, kind=FileScript) at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:1801
#26 0x00005555570c0367 in ProcessArgs(JSContext*, js::cli::OptionParser*) (cx=0x5555591087f0, op=0x7fffffffdee0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:10905
#27 0x00005555570b8c40 in Shell(JSContext*, js::cli::OptionParser*) (cx=0x5555591087f0, op=0x7fffffffdee0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:11167
#28 0x00005555570b2be1 in main(int, char**) (argc=0x5, argv=0x7fffffffe0f8) at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:11571
#29 0x00007ffff7a48083 in __libc_start_main () at /lib/x86_64-linux-gnu/libc.so.6
#30 0x0000555557087a49 in _start ()

P1umer

Reporter

Comment 1

•

1 year ago

Please note this bug also affects ion.

P1umer

Reporter

Comment 2

•

1 year ago

(In reply to P1umer from comment #0)

Created attachment 9378913 [details]
poc0208.2.js

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

Steps to reproduce:

OS : Linux ubuntu 5.11.10 #1 SMP Sat Oct 30 23:40:08 CST 2021 x86_64 x86_64 x86_64 GNU/Linux
Commit : 719b4a8853b449674c018178f85b3667afe4f193
Build :

ac_add_options --enable-project=js
ac_add_options --disable-optimize
ac_add_options --disable-unified-build
ac_add_options --disable-debug
ac_add_options --disable-jemalloc
ac_add_options --disable-tests

Running: ./js --wasm-compiler=baseline --wasm-exnref poc.js

Actual results:

#0  0x0000555558656719 in js::wasm::BaseCompiler::branchIfRefSubtype(js::wasm::RegRef, js::wasm::RefType, js::wasm::RefType, js::jit::Label*, bool)
    (this=0x7fffffff03b8, ref=..., sourceType=..., destType=..., label=0x7fffffff0970, onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8325
#1  0x00005555586561b3 in js::wasm::BaseCompiler::jumpConditionalWithResults(js::wasm::BranchState*, js::wasm::RegRef, js::wasm::RefType, js::wasm::RefType, bool)
    (this=0x7fffffff03b8, b=0x7ffffffed598, object=..., sourceType=..., destType=..., onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:3253
#2  0x0000555558666f8b in js::wasm::BaseCompiler::emitBrOnCastCommon(bool, unsigned int, js::wasm::ResultType const&, js::wasm::RefType, js::wasm::RefType)
    (this=0x7fffffff03b8, onSuccess=0x0, labelRelativeDepth=0x2, labelType=..., sourceType=..., destType=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8392
#3  0x00005555586670e8 in js::wasm::BaseCompiler::emitBrOnCast(bool) (this=0x7fffffff03b8, onSuccess=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:8418
#4  0x0000555558671fe7 in js::wasm::BaseCompiler::emitBody() (this=0x7fffffff03b8) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:10629
#5  0x000055555868872c in js::wasm::BaseCompiler::emitFunction() (this=0x7fffffff03b8)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:11740
#6  0x000055555868a09f in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*)
     (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=0x555559224d40, error=0x7fffffff2808)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmBaselineCompile.cpp:11917
#7  0x0000555558721cd3 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) (task=0x555559224a28, error=0x7fffffff2808)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:735
#8  0x0000555558721dd4 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() (this=0x7fffffff1a10)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:784
#9  0x00005555587225a1 in js::wasm::ModuleGenerator::finishFuncDefs() (this=0x7fffffff1a10) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmGenerator.cpp:915
#10 0x00005555587033d8 in DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&)
    (env=..., d=..., mg=...) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmCompile.cpp:785
#11 0x0000555558703114 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*)
    (args=..., bytecode=..., error=0x7fffffff2808, warnings=0x7fffffff27f0, listener=0x0) at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmCompile.cpp:807
#12 0x00005555587b3b65 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) (cx=0x5555591087f0, argc=0x1, vp=0x55555920a698)
    at /home/p1umer/Git/gecko-dev-latest/js/src/wasm/WasmJS.cpp:1494
#13 0x0000555557219eff in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)
    (cx=0x5555591087f0, native=0x5555587b3780 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:480
#14 CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)
    (cx=0x5555591087f0, native=0x5555587b3780 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:496
#15 InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) (cx=0x5555591087f0, args=..., reason=js::CallReason::Call)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:702
#16 0x0000555557219881 in js::ConstructFromStack(JSContext*, JS::CallArgs const&, js::CallReason) (cx=0x5555591087f0, args=..., reason=js::CallReason::Call)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:749
#17 0x0000555557236661 in js::Interpret(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:3046
#18 0x0000555557217aac in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:394
#19 js::RunScript(JSContext*, js::RunState&) (cx=0x5555591087f0, state=...) at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:452
#20 0x000055555721adf2 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, script=0x176351562060, envChainArg=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], evalInFrame=AbstractFramePtr ((js::InterpreterFrame *) 0x0) = {...}, result=$JS::UndefinedValue()) at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:839
#21 0x000055555721b082 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, script=0x176351562060, envChain=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], rval=$JS::UndefinedValue())
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/Interpreter.cpp:871
#22 0x00005555575b8adf in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)
    (cx=0x5555591087f0, envChain=(JSObject * const) 0x17635153d038 [object LexicalEnvironment], script=0x176351562060, rval=$JS::UndefinedValue())
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/CompilationAndEvaluation.cpp:494
#23 0x00005555575b8bd0 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) (cx=0x5555591087f0, scriptArg=0x176351562060)
    at /home/p1umer/Git/gecko-dev-latest/js/src/vm/CompilationAndEvaluation.cpp:518
#24 0x00005555570f11ae in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool)
    (cx=0x5555591087f0, filename=0x555559209350 "/tmp/crash1.js", file=0x555559209410, compileMethod=CompileUtf8::DontInflate, compileOnly=0x0, fullParse=0x0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:1221
#25 0x00005555570f07f3 in Process(JSContext*, char const*, bool, FileKind)
    (cx=0x5555591087f0, filename=0x555559209350 "/tmp/crash1.js", forceTTY=0x0, kind=FileScript) at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:1801
#26 0x00005555570c0367 in ProcessArgs(JSContext*, js::cli::OptionParser*) (cx=0x5555591087f0, op=0x7fffffffdee0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:10905
#27 0x00005555570b8c40 in Shell(JSContext*, js::cli::OptionParser*) (cx=0x5555591087f0, op=0x7fffffffdee0)
    at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:11167
#28 0x00005555570b2be1 in main(int, char**) (argc=0x5, argv=0x7fffffffe0f8) at /home/p1umer/Git/gecko-dev-latest/js/src/shell/js.cpp:11571
#29 0x00007ffff7a48083 in __libc_start_main () at /lib/x86_64-linux-gnu/libc.so.6
#30 0x0000555557087a49 in _start ()

This is the GIT commit hash(719b4a8853b449674c018178f85b3667afe4f193).

Andrew McCreight [:mccr8]

Updated

•

1 year ago

Group: core-security → javascript-core-security

Ryan Hunt [:rhunt]

Comment 3

•

1 year ago

https://searchfox.org/mozilla-central/source/js/src/wasm/WasmBaselineCompile.cpp#8432

It looks like the exnref type added in the 'exnref' feature was not added to the casting code. So technically you can do a ref.cast exn and expect that to work. There's only a top type (no bottom) so nothing interesting can happen.

exnref is enabled in 124 for nightly and early beta, although I don't think 124 is in beta yet.

Ben Visness [:bvisness]

Assignee

Updated

•

1 year ago

Assignee: nobody → bvisness

Andrew McCreight [:mccr8]

Updated

•

1 year ago

status-firefox122: --- → unaffected

status-firefox123: --- → unaffected

status-firefox124: --- → affected

status-firefox-esr115: --- → unaffected

Ben Visness [:bvisness]

Assignee

Comment 4

•

1 year ago

Attached file Bug 1879238: Implement casting for exnref hierarchy. r=rhunt — Details

This was simply not implemented, and was hitting all our MOZ_CRASHes.

BugBot [:suhaib / :marco/ :calixte]

Comment 5

•

1 year ago

The bug has a release status flag that shows some version of Firefox is affected, thus it will be considered confirmed.

Status: UNCONFIRMED → NEW

Ever confirmed: true

Andrew McCreight [:mccr8]

Comment 6

•

1 year ago

Is this a security issue? Could anything worse happen from this thing being unimplemented besides hitting a safe MOZ_CRASH? Thanks.

Flags: needinfo?(bvisness)

Ben Visness [:bvisness]

Assignee

Comment 7

•

1 year ago

I don't believe so, I think every case hits a MOZ_CRASH. But I'll let Ryan make the final determination since he's more familiar with the whole system.

Flags: needinfo?(bvisness) → needinfo?(rhunt)

Steven DeTar [:sdetar]

Updated

•

1 year ago

Blocks: wasm-lang

Severity: -- → S3

Priority: -- → P1

Iain Ireland [:iain]

Updated

•

1 year ago

Group: javascript-core-security

Flags: needinfo?(rhunt)

Pulsebot

Comment 8

•

1 year ago

Pushed by bvisness@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/714b553ea5d7 Implement casting for exnref hierarchy. r=yury

Serban Stanca [:SerbanS]

Comment 9

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/714b553ea5d7

Status: NEW → RESOLVED

Closed: 1 year ago

status-firefox124: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 124 Branch

poc0208.2.js 1 year ago P1umer 7.14 KB, text/javascript		Details
Bug 1879238: Implement casting for exnref hierarchy. r=rhunt 1 year ago Ben Visness [:bvisness] 48 bytes, text/x-phabricator-request		Details \| Review

Bugzilla

[WASM] Segmentation fault: unknown type hierarchy in cast

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Tracking

()

People

(Reporter: cz18811105578, Assigned: bvisness)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Updated

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Updated

Comment 8

Comment 9

Attachment

General

Description

File Name

Content Type