Closed Bug 1900740 Opened 4 months ago Closed 4 months ago

Assertion failure: state == Type2State<T>::result, at dist/include/mozilla/MaybeOneOf.h:60

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox128 --- fixed

People

(Reporter: nils.bars, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

type2state.js
502 bytes, application/x-javascript
Details
Bug 1900740 - Skip non-Wasm frames in FrameIter::wasmUpdateBytecodeOffset. r?yury!
48 bytes, text/x-phabricator-request
Details | Review
Attached file type2state.js

Steps to reproduce:

Checkout commit d9496bfef09039b2642da45585ca821c36917c6d and invoke the js shell as follows:

./js-spidermonkey-shell --fast-warmup --fuzzing-safe frameptr_has_cached_saved_frame.js

Actual results:

Assertion failure: state == Type2State<T>::result, at dist/include/mozilla/MaybeOneOf.h:60
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Group: core-security → javascript-core-security

Problem with Wasm debugger support.

function c() {
    var dbg = newGlobal({newCompartment: true}).Debugger(this);
    dbg.getNewestFrame().older.offset;
}
function b() {
    var bin = wasmTextToBinary(`(module(import "m" "f" (func $f))(func (export "test")call $f))`);
    var mod = new WebAssembly.Module(bin);
    var inst = new WebAssembly.Instance(mod, {m: {f: c}});
    inst.exports.test()
    inst.exports.test()
}
for (var i = 0; i < 5; i++) {
    b();
}
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → JavaScript: WebAssembly
Ever confirmed: true
Group: javascript-core-security
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8669629f6d9e Skip non-Wasm frames in FrameIter::wasmUpdateBytecodeOffset. r=yury
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/8669629f6d9e

Status: ASSIGNED → RESOLVED
Closed: 4 months ago
status-firefox128: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch
Blocks: 1903968
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: