Closed Bug 1957545 Opened 1 year ago Closed 1 year ago

Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:401

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox137 --- unaffected
firefox138 --- fixed
firefox139 --- fixed

People

(Reporter: gkw, Assigned: yury)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, reporter-external, testcase)

Attachments

(2 files)

Debug stack
2.12 KB, text/plain
Details
Bug 1957545 - Handle OOM after BytecodeBuffer::fromSource. r?rhunt
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
Details | Review
Attached file Debug stack 
function f() {
  WebAssembly.instantiate(wasmTextToBinary("(func)"));
  oomTest(f);
}
f();

(gdb) bt
#0  0x0000555557300ca9 in MOZ_CrashSequence (aAddress=0x0, aLine=401)
    at /home/msf1/shell-cache/js-dbg-64-linux-x86_64-4bbc39703afd/objdir-js/dist/include/mozilla/Assertions.h:267
#1  AssertExceptionResult (cx=cx@entry=0x7ffff693a200) at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:400
#2  0x0000555557324a8f in CallJSNative (cx=cx@entry=0x7ffff693a200, native=<optimized out>, reason=<optimized out>, args=...)
    at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:498
#3  0x0000555557300f86 in js::InternalCallOrConstruct (cx=0x7ffff693a200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:589
#4  0x0000555557301ce8 in InternalCall (cx=cx@entry=0x7ffff693a200, args=..., reason=401, reason@entry=js::CallReason::Call)
    at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:656
#5  0x0000555557301c47 in js::CallFromStack (cx=0x7ffff7a1ca60 <_IO_stdfile_2_lock>, cx@entry=0x7ffff693a200, args=..., reason=4154570531,
    reason@entry=js::CallReason::Call) at /home/msf1/trees/mozilla-central/js/src/vm/Interpreter.cpp:661
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/68e60c65b23f
user:        Ryan Hunt
date:        Mon Mar 24 18:05:38 2025 +0000
summary:     Bug 1931407 - wasm: Rework bytecode handling for compilation to avoid copies. r=yury

Run with --fuzzing-safe --cache-ir-stubs=off --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 4bbc39703afd.

Ryan, is bug 1931407 a likely regressor? Note that during reduction, this testcase was slightly intermittent but this final one should be fairly reliable.

Flags: sec-bounty?
Flags: needinfo?(rhunt)
Group: core-security → layout-core-security

Set release status flags based on info from the regressing bug 1931407

status-firefox137: --- → unaffected
status-firefox138: --- → affected
status-firefox-esr128: --- → unaffected

Not properly reported OOM: the fault is not marked as OOM, but still handled by exception mechanism.

Assignee: nobody → ydelendik
Status: NEW → ASSIGNED

OOM error reporting issue, not security sensitive. We should uplift though. It looks like this is a security sensitive layout bug though, not a JS bug, so I cannot unflag it.

Flags: needinfo?(rhunt)
Group: layout-core-security
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4fd486e55abf Handle OOM after BytecodeBuffer::fromSource. r=rhunt

https://hg.mozilla.org/mozilla-central/rev/4fd486e55abf

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox139: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch

The patch landed in nightly and beta is affected.
:yury, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox138 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(ydelendik)

Comment on attachment 9476328 [details]
Bug 1957545 - Handle OOM after BytecodeBuffer::fromSource. r?rhunt

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Properly handle OOM
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial change that affects only OOM state.
  • String changes made/needed:
  • Is Android affected?: Unknown
Flags: needinfo?(ydelendik)
Attachment #9476328 - Flags: approval-mozilla-beta?
Flags: sec-bounty? → sec-bounty-

Comment on attachment 9476328 [details]
Bug 1957545 - Handle OOM after BytecodeBuffer::fromSource. r?rhunt

Approved for 138.0b3

Attachment #9476328 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: