Closed Bug 1954348 Opened 9 months ago Closed 9 months ago

Crash in [@ js::wasm::BytecodeRange::toSpan]

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1954246

People

(Reporter: jimm, Unassigned)

Details

(Keywords: crash)

Crash Data

Reliably reproduced on the U.S. paypal login screen.

Crash report: https://crash-stats.mozilla.org/report/index/c7619ddf-f59d-4b84-aaba-cdf860250316

MOZ_CRASH Reason:

MOZ_RELEASE_ASSERT(end() <= bytecode.size())

Top 10 frames:

0  XUL  MOZ_CrashSequence(void*, long)  mfbt/Assertions.h:272
0  XUL  js::wasm::BytecodeRange::toSpan(mozilla::Span<unsigned char const, (unsigned ...  js/src/wasm/WasmBinaryTypes.h:73
1  XUL  js::wasm::BytecodeSource::BytecodeSource(unsigned char const*, unsigned long)  js/src/wasm/WasmCompile.cpp:393
2  XUL  GetBufferSource(JSContext*, JSObject*, unsigned int, js::wasm::BytecodeSource*)  js/src/wasm/WasmJS.cpp:1577
3  XUL  WebAssembly_validate(JSContext*, unsigned int, JS::Value*)  js/src/wasm/WasmJS.cpp:4554
4  XUL  CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::...  js/src/vm/Interpreter.cpp:493
4  XUL  js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstru...  js/src/vm/Interpreter.cpp:589
4  XUL  InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)  js/src/vm/Interpreter.cpp:656
4  XUL  js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInv...  js/src/vm/Interpreter.cpp:688
5  XUL  js::BoundFunctionObject::call(JSContext*, unsigned int, JS::Value*)  js/src/vm/BoundFunctionObject.cpp:72
Status: NEW → RESOLVED
Closed: 9 months ago
Duplicate of bug: 1954246
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.