Closed
Bug 1900526
Opened 1 month ago
Closed 1 month ago
Assertion failure: newPages <= wasm::MaxMemoryPages(t) && newPages.byteLength() < ArrayBufferObject::ByteLengthLimit, at vm/ArrayBufferObject.cpp:1678
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
FIXED
128 Branch
| Tracking | Status | |
|---|---|---|
| firefox128 | --- | fixed |
People
(Reporter: nils.bars, Assigned: jandem)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files)
Steps to reproduce:
Steps to reproduce:
Checkout commit d9496bfef09039b2642da45585ca821c36917c6d and invoke the js shell as follows:
./js-spidermonkey-shell --fast-warmup --fuzzing-safe new_pages_le_max_memory.js
Actual results:
Assertion failure: newPages <= wasm::MaxMemoryPages(t) && newPages.byteLength() < ArrayBufferObject::ByteLengthLimit, at vm/ArrayBufferObject.cpp:1678
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
|
Assignee | |
Comment 1•1 month ago
|
||
More reduced test case:
const m = new WebAssembly.Memory({initial: 65536, index: "i64"});
m.grow(65536);
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → JavaScript: WebAssembly
Ever confirmed: true
|
||
Updated•1 month ago
|
Group: core-security → javascript-core-security
|
||
Updated•1 month ago
|
Severity: -- → S3
Priority: -- → P1
|
||
Comment 2•1 month ago
|
||
jandem: this is the only assert that is "less than" ArrayBufferObject::ByteLengthLimit -- all the other places in the file assert "less than or equals". Is this just a wrong assert or is there really a security bug here?
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 3•1 month ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
jandem: this is the only assert that is "less than" ArrayBufferObject::ByteLengthLimit -- all the other places in the file assert "less than or equals". Is this just a wrong assert or is there really a security bug here?
Good point! The assertion no longer fails if I change it to use <= instead of <.
Flags: needinfo?(jdemooij) → needinfo?(rhunt)
|
|
Assignee | |
Updated•1 month ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(rhunt)
|
|
Assignee | |
Comment 4•1 month ago
|
||
|
|
Assignee | |
Comment 5•1 month ago
|
||
Opening this up because Ryan and I don't see any other issues here.
Group: javascript-core-security
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/aed45d6328cd Fix assertion in ArrayBufferObject::wasmMovingGrowToPages. r=rhunt
|
||
Comment 7•1 month ago
|
||
Backed out for causing SM bustages related to bug1900526.js.
[task 2024-06-06T15:10:23.912Z] TEST-PASS | js\src\jit-test\tests\wasm\memory64\bug1900526.js | Success (code 0, args "") [0.2 s]
[task 2024-06-06T15:10:23.960Z] D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:23.960Z]
[task 2024-06-06T15:10:23.960Z] Stack:
[task 2024-06-06T15:10:23.960Z]
[task 2024-06-06T15:10:23.960Z] @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:23.960Z]
[task 2024-06-06T15:10:23.960Z] Exit code: 3
[task 2024-06-06T15:10:23.960Z] FAIL - wasm\memory64\bug1900526.js
[task 2024-06-06T15:10:23.960Z] TEST-UNEXPECTED-FAIL | js\src\jit-test\tests\wasm\memory64\bug1900526.js | D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory (code 3, args "--blinterp-eager") [0.0 s]
[task 2024-06-06T15:10:23.961Z] INFO exit-status : 3
[task 2024-06-06T15:10:23.961Z] INFO timed-out : False
[task 2024-06-06T15:10:23.961Z] INFO stderr 2> D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:23.961Z] INFO stderr 2> Stack:
[task 2024-06-06T15:10:23.961Z] INFO stderr 2> @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:23.971Z] D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:23.971Z]
[task 2024-06-06T15:10:23.971Z] Stack:
[task 2024-06-06T15:10:23.971Z]
[task 2024-06-06T15:10:23.971Z] @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:23.971Z]
[task 2024-06-06T15:10:23.971Z] Exit code: 3
[task 2024-06-06T15:10:23.972Z] FAIL - wasm\memory64\bug1900526.js
[task 2024-06-06T15:10:23.973Z] TEST-UNEXPECTED-FAIL | js\src\jit-test\tests\wasm\memory64\bug1900526.js | D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory (code 3, args "--ion-eager --ion-offthread-compile=off --more-compartments") [0.2 s]
[task 2024-06-06T15:10:23.973Z] INFO exit-status : 3
[task 2024-06-06T15:10:23.973Z] INFO timed-out : False
[task 2024-06-06T15:10:23.973Z] INFO stderr 2> D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:23.973Z] INFO stderr 2> Stack:
[task 2024-06-06T15:10:23.973Z] INFO stderr 2> @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:23.991Z] TEST-PASS | js\src\jit-test\tests\wasm\memory64\bug1900526.js | Success (code 0, args "--baseline-eager --write-protect-code=off") [0.2 s]
[task 2024-06-06T15:10:23.998Z] TEST-PASS | js\src\jit-test\tests\wasm\memory64\bug1900526.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.2 s]
[task 2024-06-06T15:10:24.037Z] D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:24.037Z]
[task 2024-06-06T15:10:24.037Z] Stack:
[task 2024-06-06T15:10:24.037Z]
[task 2024-06-06T15:10:24.037Z] @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:24.037Z]
[task 2024-06-06T15:10:24.037Z] Exit code: 3
[task 2024-06-06T15:10:24.037Z] FAIL - wasm\memory64\bug1900526.js
[task 2024-06-06T15:10:24.037Z] TEST-UNEXPECTED-FAIL | js\src\jit-test\tests\wasm\memory64\bug1900526.js | D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory (code 3, args "--setpref=wasm_test_serialization=true") [0.0 s]
[task 2024-06-06T15:10:24.042Z] INFO exit-status : 3
[task 2024-06-06T15:10:24.042Z] INFO timed-out : False
[task 2024-06-06T15:10:24.042Z] INFO stderr 2> D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:24.042Z] INFO stderr 2> Stack:
[task 2024-06-06T15:10:24.042Z] INFO stderr 2> @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:24.085Z] D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:24.085Z]
[task 2024-06-06T15:10:24.085Z] Stack:
[task 2024-06-06T15:10:24.085Z]
[task 2024-06-06T15:10:24.085Z] @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:24.085Z]
[task 2024-06-06T15:10:24.085Z] Exit code: 3
[task 2024-06-06T15:10:24.085Z] FAIL - wasm\memory64\bug1900526.js
[task 2024-06-06T15:10:24.085Z] TEST-UNEXPECTED-FAIL | js\src\jit-test\tests\wasm\memory64\bug1900526.js | D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory (code 3, args "--test-wasm-await-tier2") [0.0 s]
[task 2024-06-06T15:10:24.085Z] INFO exit-status : 3
[task 2024-06-06T15:10:24.085Z] INFO timed-out : False
[task 2024-06-06T15:10:24.087Z] INFO stderr 2> D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3 RangeError: failed to grow memory
[task 2024-06-06T15:10:24.087Z] INFO stderr 2> Stack:
[task 2024-06-06T15:10:24.087Z] INFO stderr 2> @D:\task_171768317240599\src\js\src\jit-test\tests\wasm\memory64\bug1900526.js:5:3
[task 2024-06-06T15:10:24.101Z] TEST-PASS | js\src\jit-test\tests\wasm\memory64\basic.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.8 s]
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 8•1 month ago
|
||
The new test fails intermittently on Win64, probably due to OOM. Will fix.
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e6bc7bd1cea3 Fix assertion in ArrayBufferObject::wasmMovingGrowToPages. r=rhunt
|
|
Assignee | |
Updated•1 month ago
|
Flags: needinfo?(jdemooij)
|
||
Comment 10•1 month ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
status-firefox128:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•