1969375 - ResolveResponse_fulfilled doesn't handle OOMs correctly

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: debug stack

function f() {
  drainJobQueue();
  WebAssembly.compileStreaming();
  oomTest(f);
}
f();

(gdb) bt
#0  0x000055555732e2d9 in MOZ_CrashSequence (aAddress=0x0, aLine=402)
    at /home/ubuomni14/shell-cache/js-dbg-64-linux-x86_64-3f2fd0c018c9/objdir-js/dist/include/mozilla/Assertions.h:248
#1  AssertExceptionResult (cx=cx@entry=0x7ffff653a200) at /home/ubuomni14/trees/mozilla-central/js/src/vm/Interpreter.cpp:401
#2  0x000055555735260f in CallJSNative (cx=cx@entry=0x7ffff653a200, native=<optimized out>, reason=<optimized out>, args=...)
    at /home/ubuomni14/trees/mozilla-central/js/src/vm/Interpreter.cpp:499
#3  0x000055555732e5b6 in js::InternalCallOrConstruct (cx=0x7ffff653a200, args=..., construct=construct@entry=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at /home/ubuomni14/trees/mozilla-central/js/src/vm/Interpreter.cpp:590
#4  0x000055555732f318 in InternalCall (cx=<optimized out>, args=..., reason=402, reason@entry=js::CallReason::Call)
    at /home/ubuomni14/trees/mozilla-central/js/src/vm/Interpreter.cpp:657
#5  0x000055555732f533 in js::Call (cx=cx@entry=0x7ffff653a200, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...,
    reason=reason@entry=js::CallReason::Call) at /home/ubuomni14/trees/mozilla-central/js/src/vm/Interpreter.cpp:689
/snip

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/68e60c65b23f
user:        Ryan Hunt
date:        Mon Mar 24 18:05:38 2025 +0000
summary:     Bug 1931407 - wasm: Rework bytecode handling for compilation to avoid copies. r=yury

Run with --fuzzing-safe --ion-offthread-compile=off --ion-eager, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 3f2fd0c018c9.

Ryan, is bug 1931407 a likely regressor?

Note that possible regressor bug 1931407 had some comments about looking through its regressors for possible uplifting, so this bug might need one as well.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1931407

Comment 2

[Ryan Hunt [:rhunt]]

This is just an OOM handling issue where we fail to report the OOM error. Not security sensitive.

Comment 3

[Ryan Hunt [:rhunt]]

Attachment: Bug 1969375 - wasm: Fix OOM handling in ResolveResponse. r?bvisness

Comment 4

[Pulsebot]

Pushed by rhunt@eqrion.net:
https://github.com/mozilla-firefox/firefox/commit/4dc02df46db3
https://hg.mozilla.org/integration/autoland/rev/93e2c6706f0f
wasm: Fix OOM handling in ResolveResponse. r=bvisness

Comment 5

[Norisz Fay [:noriszfay]]

https://hg.mozilla.org/mozilla-central/rev/93e2c6706f0f

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:rhunt, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
  • See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
• If no, please set status-firefox141 to wontfix.

For more information, please visit BugBot documentation.

Comment 7

[Ryan Hunt [:rhunt]]

I don't think so. It's a very rare small OOM condition that will result in a crash if it happens.