1928993 - Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at js/src/vm/Interpreter.cpp:440 with wasmGcReadField

Status: VERIFIED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[Christian Holler (:decoder)]

The attached testcase crashes on mozilla-central revision 20241031-2cc133b3c099 (build with debug, run with --fuzzing-safe --ion-offthread-compile=off).

Backtrace:

    received signal SIGSEGV, Segmentation fault.
    #0  0x00005555570305d2 in AssertExceptionResult(JSContext*) ()
    #1  0x000055555703154f in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
    [...]
    #11 0x0000555556e9e36c in Shell(JSContext*, js::cli::OptionParser*) ()
    #12 0x0000555556e951ab in main ()
    rax	0x55555588f028	93824995618856
    rbx	0x7ffff4636200	140737293541888
    rcx	0x5555588f8360	93825046381408
    rdx	0x1	1
    rsi	0x0	0
    rdi	0x7ffff7bef7d0	140737349875664
    rbp	0x7fffffffd050	140737488343120
    rsp	0x7fffffffd040	140737488343104
    r8	0x0	0
    r9	0x3	3
    r10	0x0	0
    r11	0x0	0
    r12	0x0	0
    r13	0x3b8100957cf0	65425246616816
    r14	0x7ffff33f2000	140737274388480
    r15	0x7fffffffd490	140737488344208
    rip	0x5555570305d2 <AssertExceptionResult(JSContext*)+178>
    => 0x5555570305d2 <_ZL21AssertExceptionResultP9JSContext+178>:	movl   $0x1b8,0x0
       0x5555570305dd <_ZL21AssertExceptionResultP9JSContext+189>:	callq  0x555556f321b0 <abort>

I assume the issue is related to the wasmGcReadField shell function.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241104092716-b26d51f8c917.
The bug appears to have been introduced in the following build range:

Start: e6d82561e0e85b9cb2903773aacd419fee06e8de (20241001104756)
End: 5b88a129bf3443262fdc6d35aef6c522a6dc1eed (20241001124047)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e6d82561e0e85b9cb2903773aacd419fee06e8de&tochange=5b88a129bf3443262fdc6d35aef6c522a6dc1eed

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #3, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jpages, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1921780

Comment 6

[Christoph Kerschbaumer [:ckerschb]]

Hey Julien, I am the REO for Fx133 and I am checking in because this bug is marked affecting Fx133. Are you planning on fixing an uplifting? If so, please remember that the last day for Beta uplifts is Nov 15th. Thank you!

Comment 7

[Julien Pages [:jpages]]

Hi, thanks for the information.

However, this bug is related to wasmGcReadField which is used only for testing. Because of that, it's not worth uplifting this to Beta.
I'm planning to fix it though and I'm currently working on a fix.

Comment 8

[Julien Pages [:jpages]]

Attachment: Bug 1928993 - Fix an assertion failure with wasmGcReadField. r?rhunt

WasmGcReadField calls loadValue which will call lookUpProperty.
When accessing a wasm array, the error reporting for an out of
bounds access was missing. This was triggering an assertion in
wasmGcReadField.

Comment 9

[Pulsebot]

Pushed by jpages@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45729be3609e
Fix an assertion failure with wasmGcReadField. r=rhunt

Comment 10

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/45729be3609e

Comment 11

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241107212807-785541f0311a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.