1906765 - Crash when using wasmDis on an imported function

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P3)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug shell stack

var x = wasmTextToBinary('\
  (func $yyy (import "m" "yyy")(param i32)(result f64))\
  (memory 1)\
  (func $zz (export "f")\
    (param i32)(param i32)(param i32)(param i32)(param i32)(param i32)(param i32)\
    (result i32)(local.get 1)\
  )\
  (func $xx (param i32)(result i32)(i32.const 1))\
');
x[59] = 0;
wasmDis(
  new WebAssembly.Instance(new WebAssembly.Module(x), {
    m: {
      yyy: function () {},
    },
  }).exports.f
);

(gdb) bt
#0  js::wasm::CodeBlock::tier (this=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/wasm/WasmCode.h:434
#1  js::wasm::Code::funcHasTier (this=<optimized out>, funcIndex=0, tier=js::wasm::Tier::Optimized) at /home/ubu32gx500/trees/mozilla-central/js/src/wasm/WasmCode.h:889
#2  WasmDisassembleFunction (cx=0x7ffff7636100, asString=false, rval=..., func=..., tierSelection=...) at /home/ubu32gx500/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:1925
#3  WasmDisassemble (cx=cx@entry=0x7ffff7636100, argc=<optimized out>, vp=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/builtin/TestingFunctions.cpp:2030
#4  0x00005555572c9b95 in CallJSNative (cx=cx@entry=0x7ffff7636100, native=0x555557898f30 <WasmDisassemble(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:491
#5  0x00005555572a1ab2 in js::InternalCallOrConstruct (cx=0x7ffff7636100, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/Interpreter.cpp:585
/snip

Due to skipped revisions, the first bad revision could be any of:
changeset:   https://hg.mozilla.org/mozilla-central/rev/19c4b619cb0d
user:        Ryan Hunt
date:        Mon Jul 01 16:36:02 2024 +0000
summary:     Bug 1898153 - wasm: Have only one LazyStubTier and put it on Code. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/94b66174cb5f
user:        Ryan Hunt
date:        Mon Jul 01 16:36:03 2024 +0000
summary:     Bug 1898153 - wasm: Merge MetadataTier into CodeTier. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/bb38a0de22c1
user:        Ryan Hunt
date:        Mon Jul 01 16:36:03 2024 +0000
summary:     Bug 1898153 - wasm: Rename CodeTier to CodeBlock. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/5898ecc3f282
user:        Ryan Hunt
date:        Mon Jul 01 16:36:04 2024 +0000
summary:     Bug 1898153 - wasm: Make CodeSegment ref-counted instead of unique ownership. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/e54a28c570c6
user:        Ryan Hunt
date:        Mon Jul 01 16:36:04 2024 +0000
summary:     Bug 1898153 - wasm: Have CodeBlock reference any kind of CodeSegment. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/4e2ed3c03b44
user:        Ryan Hunt
date:        Mon Jul 01 16:36:07 2024 +0000
summary:     Bug 1898153 - wasm: Create CodeBlock for tracking CodeRange's of new lazy stubs. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/35cf07d63c5e
user:        Ryan Hunt
date:        Mon Jul 01 16:36:07 2024 +0000
summary:     Bug 1898153 - wasm: Use CodeBlock for LazyFuncExport information, instead of LazyStubSegment. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/cdf90f731b5c
user:        Ryan Hunt
date:        Mon Jul 01 16:36:07 2024 +0000
summary:     Bug 1898153 - wasm: Track CodeBlock in process global map, instead of CodeSegment. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/6f488caf8db3
user:        Ryan Hunt
date:        Mon Jul 01 16:36:08 2024 +0000
summary:     Bug 1898153 - wasm: Merge ModuleSegment and LazyStubSegment. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/3dcc782b8bfe
user:        Ryan Hunt
date:        Mon Jul 01 16:36:08 2024 +0000
summary:     Bug 1898153 - wasm: Flatten LazyStubTier into Code, and simplify. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/ecf9a3197b5b
user:        Ryan Hunt
date:        Mon Jul 01 16:36:09 2024 +0000
summary:     Bug 1898153 - wasm: Rework initialization of Code and store tier blocks in vector. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/ff8cad43732b
user:        Ryan Hunt
date:        Mon Jul 01 16:36:10 2024 +0000
summary:     Bug 1898153 - wasm: Use ThreadSafeCodeBlockMap for PC-based metadata lookups. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/87d34d2a98bb
user:        Ryan Hunt
date:        Mon Jul 01 16:36:10 2024 +0000
summary:     Bug 1898153 - wasm: Refactor CodeBlock::funcToCodeRange_ to be abstract. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/e36dc8935bc0
user:        Ryan Hunt
date:        Mon Jul 01 16:36:11 2024 +0000
summary:     Bug 1898153 - wasm: Refactor ModuleGenerator for supporting multiple code blocks. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/072f3c8e0d5c
user:        Ryan Hunt
date:        Mon Jul 01 16:36:11 2024 +0000
summary:     Bug 1898153 - wasm: Generate all tier-independent stubs together in ModuleGenerator. r=jseward

changeset:   https://hg.mozilla.org/mozilla-central/rev/4704a988a3c4
user:        Ryan Hunt
date:        Mon Jul 01 16:36:12 2024 +0000
summary:     Bug 1898153 - wasm: Generate tier-shared stubs in separate CodeBlock. r=jseward

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 162448b8b7cd.

Setting s-s to be safe, though this may be testing-specific. Ryan, is bug 1898153 a likely regressor?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1898153

Comment 2

[Ryan Hunt [:rhunt]]

Yes, this is testing only code (wasmDis) and bug 1898153 is the regressor.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

:jseward, since you are the author of the regressor, bug 1898153, could you take a look?

For more information, please visit BugBot documentation.

Comment 4

[Yury Delendik (:yury)]

Smaller test case:

var x = wasmTextToBinary(`(module
  (func $yyy (import "" "f"))
  (export "f" (func $yyy))
)`);

wasmDis(
  new WebAssembly.Instance(new WebAssembly.Module(x), {
    "": {
      f: function () {},
    },
  }).exports.f
);

Fails because wasmDis trying to disassemble imported function.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Note that bug 1915860 shifted wasmDis into fuzzing-unsafe-ness code.

Comment 6

[Ryan Hunt [:rhunt]]

Attachment: Bug 1906765 - wasm: Fix wasmDis for imported function. r?yury

Comment 7

[Pulsebot]

Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/a306e482f643
wasm: Fix wasmDis for imported function. r=yury

Comment 8

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/a306e482f643