Closed Bug 1891485 Opened 5 months ago Closed 5 months ago

Differential error: RuntimeError: too many array elements

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
127 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox125 --- wontfix
firefox126 --- wontfix
firefox127 --- fixed

People

(Reporter: decoder, Assigned: bvisness)

References

(Regression)

Details

(Keywords: regression, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(3 files)

The attached testcase shows differential behavior on mozilla-central revision 20240413-4a07e55947ef (build with fuzzing-asan-opt, run with --no-threads --wasm-compiler=baseline).

I made the testcase crash based on the last exception seen which differs when running with --wasm-compiler=baseline vs. --wasm-compiler=optimizing.

Attached file Testcase

The two runtime errors here are of different categories. The unreachable executed is the result of an unreachable instruction; the too many array elements is an implementation limit and not required by the spec.

The reduced test case is simply:

  (type $a (array (mut i8)))
  (func (export "test")
    i32.const -1
    array.new_default $a
    unreachable
  )

Ion is optimizing away the array.new_default entirely, preventing us from triggering the implementation limit. Although this is an observable difference in behavior between the two compilers, it's one we're ok with. Which implementation limits may be triggered in which order is not something worth making deterministic.

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WONTFIX

We have no way of ignoring this difference, the usual contract is to try and make it deterministic when --differential-testing is set. Otherwise, we would have to stop all differential testing.

Status: RESOLVED → REOPENED
Flags: needinfo?(bvisness)
Resolution: WONTFIX → ---

Sorry, I didn't realize how we usually handle this sort of thing in differential testing. Iain pointed me to this similar example in JS; we can add something similar to these messages to give you the clue you need to ignore these differences.

Flags: needinfo?(bvisness)

No worries.

The message you pointed to is a last resort thing that works for the JS fuzzers but it wouldn't work in this scenario without some modifications.

I assume it isn't possible to fix up the situation (make the behavior deterministic)? If that's the case, then we need some way to determine from JS if we are in this situation (e.g. a shell function isWasmDifferentialTestingTainted returning a bool) something like this I could use from within the fuzzer (that is running inside the JS shell) to check if we should throw away the result and continue.

Problem for the fuzzing infrastructure, but not a user security issue.

Group: javascript-core-security

Unable to reproduce bug 1891485 using build mozilla-central 20240413085157-4a07e55947ef. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: -- → S3
Priority: -- → P2
Assignee: nobody → bvisness

For the record, Yury asked about this behavior on the wasm design repo (https://github.com/WebAssembly/gc/issues/540) and the consensus was that the spec indeed does not require this particular trap to be observable.

Pushed by bvisness@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f47e86c86c23
Make wasm gc allocations deterministic for differential fuzzing. r=yury
Status: REOPENED → RESOLVED
Closed: 5 months ago5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch

The patch landed in nightly and beta is affected.
:bvisness, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox126 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(bvisness)
Flags: needinfo?(bvisness)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: