1939744 - wasm: missing `ReportOutOfMemory(cx)` call in Module::instantiateMemories

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P3)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

oomTest(function () {
  new WebAssembly.Instance(
    new WebAssembly.Module(wasmTextToBinary("(memory i64 0)")),
  );
});

(gdb) bt
#0  AssertExceptionResult (cx=0x7ffff6936200) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:439
#1  CallJSNative (cx=cx@entry=0x7ffff6936200, native=native@entry=0x5555587bbe10 <js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*)>,
    reason=reason@entry=js::CallReason::Call, args=...) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:537
#2  0x00005555572f56ad in CallJSNativeConstructor (cx=cx@entry=0x7ffff6936200,
    native=0x5555587bbe10 <js::WasmInstanceObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:550
#3  0x00005555572c5580 in InternalConstruct (cx=0x7ffff6936200, args=..., reason=js::CallReason::Call)
    at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:756
#4  0x00005555572c4f6d in js::ConstructFromStack (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff6936200, args=..., reason=4154570531,
    reason@entry=js::CallReason::Call) at /home/i32g7900a/trees/mozilla-central/js/src/vm/Interpreter.cpp:803
#5  0x0000555557f011d9 in js::jit::DoCallFallback (cx=0x7ffff6936200, frame=0x7fffffffc2b8, stub=0x7ffff5ec9318, argc=1, vp=0x7fffffffc258, res=...)
    at /home/i32g7900a/trees/mozilla-central/js/src/jit/BaselineIC.cpp:1682
#6  0x000034a9d7eb8e0f in ?? ()

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/51e1654a1144
user:        Julian Seward
date:        Wed Oct 23 13:33:00 2024 +0000
summary:     Bug 1921216 - wasm speculative inlining: track multiple targets per call-ref callsite.  r=rhunt.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion --cache-ir-stubs=off, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 27f9f8e7311a.

Setting s-s just in case. Julian, is bug 1921216 a likely regressor?

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1921216

Comment 2

[Julian Seward [:jseward]]

In Module::instantiateMemories, we append a WasmMemoryObject* to a vector
thereof, and propagate failure of the append, but we don't do
ReportOutOfMemory(cx) in case of failure.

I think this should be declassified. There's an OOM, we handle it correctly;
the only deficiency is that the OOM is not reported to the JSContext.

Comment 3

[Jan de Mooij [:jandem]]

I agree that's not security sensitive.

Comment 4

[Julian Seward [:jseward]]

Attachment: Bug 1939744 - wasm: missing `ReportOutOfMemory(cx)` call in Module::instantiateMemories. r=rhunt.

In Module::instantiateMemories, we append a WasmMemoryObject* to a vector
thereof, and propagate failure of the append, but we don't do
ReportOutOfMemory(cx) in case of failure.

Comment 5

[Pulsebot]

Pushed by jseward@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c903c46600c1
wasm: missing `ReportOutOfMemory(cx)` call in Module::instantiateMemories.  r=bvisness.

Comment 6

[Serban Stanca [:SerbanS]]

https://hg.mozilla.org/mozilla-central/rev/c903c46600c1