Assertion failure: cx->realm()->creationOptions().getSharedMemoryAndAtomicsEnabled(), at src/js/src/shell/js.cpp:8047
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox137 | --- | fixed |
People
(Reporter: sm-bugs, Assigned: rhunt)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external)
Attachments
(1 file)
Steps to reproduce:
Version: 4f2372638478a8b66ba467867d764ad6cdb16a5d
Args: --fuzzing-safe --shared-memory=off <test-case>
Test case:
try {
a = wasmTextToBinary(`(module)`)
b = WebAssembly.Module
c = new b(a)
setSharedArrayBuffer(c)
getSharedObject()
} catch {
}
Actual results:
Assertion failure: cx->realm()->creationOptions().getSharedMemoryAndAtomicsEnabled(), at src/js/src/shell/js.cpp:8047
#0 0x559fe6bd7640 in GetSharedObject(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:8046:9
#1 0x559fe6ca7fae in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:532:13
#2 0x559fe6ca727c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:628:12
#3 0x559fe6cc0db4 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:700:10
#4 0x559fe6cc0db4 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3338:16
#5 0x559fe6ca60d9 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:502:13
#6 0x559fe6cab5e1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:893:13
#7 0x559fe6cabdec in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:926:10
#8 0x559fe6ea3a49 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:601:10
#9 0x559fe6ea3cc7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:625:10
#10 0x559fe6c03199 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1326:10
#11 0x559fe6c022a0 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp
#12 0x559fe6bbc371 in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:11793:10
#13 0x559fe6bbc371 in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:12061:12
#14 0x559fe6bb2e0d in main js/src/shell/js.cpp:12487:12
#15 0x7f1e8f73d3b7 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#16 0x7f1e8f73d47a in __libc_start_main csu/../csu/libc-start.c:360:3
#17 0x559fe6b79dc8 in _start (reproducebuild/dist/bin/js+0x1c59dc8) (BuildId: d25b0a0cd5451c944e4f8e945b2c5fbf)
Updated•1 months ago
|
Updated•1 month ago
|
Comment 1•1 month ago
|
||
Because wasm, randomly choosing Ben to take a peek
Comment 2•1 month ago
|
||
I peeked at this yesterday and the assertion for MailboxTag::WasmModule
in the getSharedObject
shell function here might just be invalid? I think that assertion makes sense for the SAB case and not for this one?
Updated•1 month ago
|
Updated•26 days ago
|
Assignee | ||
Comment 3•26 days ago
|
||
Yeah this shell function is just broken. This is not security sensitive because it's just in our shell testing code.
Assignee | ||
Comment 4•26 days ago
|
||
The shell has some builtins to emulate post message for testing.
The WasmModule support for this copy-pasted an assertion from
the SAB sharing code that is not relevant. It's possible to
share a wasm module across threads without shared memory.
Comment 6•13 days ago
|
||
bugherder |
Description
•