Closed
Bug 1954246
Opened 1 month ago
Closed 1 month ago
Assertion failure: end() <= bytecode.size(), at /builds/worker/checkouts/gecko/js/src/wasm/WasmBinaryTypes.h:73
Categories
(Core :: JavaScript: WebAssembly, defect)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox136 | --- | unaffected |
| firefox137 | --- | unaffected |
| firefox138 | blocking | fixed |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, Regression, )
Details
(5 keywords)
Crash Data
Found with m-c 20250314-1cdda4257383 (--enable-address-sanitizer --enable-fuzzing)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting https://www.stickeryou.com/. A Pernosco session is available here: https://pernos.co/debug/j6Vm4zt1FkOyStkxnXJpQA/index.html
Marking as s-s as a precaution.
Assertion failure: end() <= bytecode.size(), at /builds/worker/checkouts/gecko/js/src/wasm/WasmBinaryTypes.h:73
#0 0x7fffef8011dd in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x7fffef8011dd in js::wasm::BytecodeRange::toSpan(mozilla::Span<unsigned char const, 18446744073709551615ul>) const /builds/worker/checkouts/gecko/js/src/wasm/WasmBinaryTypes.h:73:5
#2 0x7fffef801060 in js::wasm::BytecodeSource::BytecodeSource(unsigned char const*, unsigned long) /builds/worker/checkouts/gecko/js/src/wasm/WasmCompile.cpp:393:21
#3 0x7fffef93f511 in GetBufferSource /builds/worker/checkouts/gecko/js/src/wasm/WasmJS.cpp:1577:15
#4 0x7fffef93f511 in GetBufferSource(JSContext*, JS::CallArgs const&, char const*, js::wasm::BytecodeSource*) /builds/worker/checkouts/gecko/js/src/wasm/WasmJS.cpp:4396:10
#5 0x7fffef93dad1 in WebAssembly_validate(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/wasm/WasmJS.cpp:4554:8
#6 0x7fffee227ab4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
#7 0x7fffee22730f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:12
#8 0x7fffee22875b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:688:8
#9 0x7fffee2f1c23 in js::BoundFunctionObject::call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/BoundFunctionObject.cpp:72:10
#10 0x7fffee227ab4 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
#11 0x7fffee23aefa in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:661:10
#12 0x7fffee23aefa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3265:16
#13 0x7fffee226951 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:463:13
#14 0x7fffee227335 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:621:13
#15 0x7fffee22875b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:688:8
#16 0x7fffeeeca82d in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
#17 0x7fffeeecb107 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
#18 0x33ccb0ccacbf ([anon:js-executable-memory]+0x2cbf)
|
Reporter | |
Updated•1 month ago
|
Keywords: regression
Regressed by: 1931407
|
||
Comment 1•1 month ago
|
||
Set release status flags based on info from the regressing bug 1931407
:rhunt, since you are the author of the regressor, bug 1931407, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox136:
--- → unaffected
status-firefox137:
--- → unaffected
status-firefox-esr128:
--- → unaffected
Flags: needinfo?(rhunt)
|
|
Reporter | |
Updated•1 month ago
|
Crash Signature: [@ js::wasm::BytecodeRange::toSpan ]
|
||
Updated•1 month ago
|
tracking-firefox138:
--- → blocking
|
|
Reporter | |
Comment 3•1 month ago
|
||
Unhiding since this is a release assertion.
Group: javascript-core-security
|
|
||
Comment 4•1 month ago
|
||
fixed by backout of bug 1931407
Status: NEW → RESOLVED
Closed: 1 month ago
Flags: needinfo?(rhunt)
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•