Open Bug 1915254 Opened 5 months ago Updated 11 days ago

JS exception is not caught in Wasm if it is going through other realm

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

defect

Tracking

()

People

(Reporter: yury, Unassigned, NeedInfo)

References

Details

Attachments

(1 file)

Fuzz signature has "line 774 > Function:38:7 Error: exn1"

function wasmEvalText(t, imp, b) {
  var wasm = wasmTextToBinary(t)
  var mod = new WebAssembly.Module(wasm, b);
  var ins = new WebAssembly.Instance(mod, imp);
  return ins;
}

function f0() {
  throw new Error();
}

const s3 = newGlobal();
s3.eval("function f3() {\n f2();}\n");
const f3 = s3.f3;
// Works with: function f3() { f2(); }


const ins = wasmEvalText(`(module
  (import "" "f0" (func $f0))
  (import "" "f3" (func $f3))
  (import "" "tag" (tag $tagJS (param externref)))
  (func (export "f")
  block (result externref)
    try_table (catch $tagJS 0)
      call $f3
      unreachable
    end
    unreachable
  end
  drop
  )

  (func (export "f2")
  call $f0
  )
)`, {"": { f0, f3, tag: WebAssembly.JSTag, }});
s3.f2 = ins.exports.f2;

ins.exports.f();

I think this is because the exception's tag (from WasmExceptionObject::wrapJSValue) is the WebAssembly.JSTag object from the realm we're in when we enter wasm::HandleExceptionWasm.

If I change the test to use tag: s3.WebAssembly.JSTag instead of tag: WebAssembly.JSTag the exception is caught.

I don't know what the spec says about JS exception wrapping and in which realm this should happen.

If I change the test to use tag: s3.WebAssembly.JSTag instead of tag: WebAssembly.JSTag the exception is caught.

Problem is that s3 does not do any (re)throwing, it is just a frame. The throwing is happening in the same realm as the wasm instance is created.

Flags: needinfo?(rhunt)
Attached file http_test.zip

Verified in browsers: Chrome behaves as expected, FF fails to intercept the exception.

I looked into this a bit today. V8 doesn't wrap JS exceptions in a Wasm Exception object - they optimize this at the catch-site. Some discussion on this here:

Anyway this can wait until Ryan is back in case we want to do more work here.

(The simplest fix is probably to do the exception-wrapping in the realm of the instance that catches the exception.)

Severity: -- → S3
Priority: -- → P3
See Also: → 1939970
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: