Closed
Bug 1977120
Opened 3 months ago
Closed 3 months ago
Assertion failure: cx->isThrowingOutOfMemory(), at wasm/WasmBuiltins.cpp:688
Categories
(Core :: JavaScript: WebAssembly, defect, P3)
Tracking
()
RESOLVED
FIXED
142 Branch
| Tracking | Status | |
|---|---|---|
| firefox142 | --- | fixed |
People
(Reporter: gkw, Assigned: yury)
References
(Blocks 1 open bug)
Details
(Keywords: reporter-external, testcase)
Attachments
(1 file)
(function (x, y) {
"use asm";
var z = y.m;
function g() {
z();
}
return g;
})(0, {
m: function () {
throw 0;
},
})();
(gdb) bt
#0 0x00005555586fc57c in MOZ_CrashSequence (aAddress=0x0, aLine=688)
at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-23185ed855a5/objdir-js/dist/include/mozilla/Assertions.h:248
#1 GetOrWrapWasmException (activation=0x7fffffffc500, cx=0x7ffff5e2a200) at /home/msf2/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:688
#2 js::wasm::HandleExceptionWasm (cx=cx@entry=0x7ffff5e2a200, iter=..., rfe=rfe@entry=0x7fffffffc320)
at /home/msf2/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:823
#3 0x00005555584c2eac in js::jit::HandleException (rfe=0x7fffffffc320) at /home/msf2/trees/mozilla-central/js/src/jit/JitFrames.cpp:754
#4 0x00005555586fed89 in WasmHandleThrow (rfe=0x7ffff7805700 <_IO_stdfile_2_lock>) at /home/msf2/trees/mozilla-central/js/src/wasm/WasmBuiltins.cpp:920
#5 0x0000388fc90437d5 in ?? ()
#6 0xba104b5d9f5fb000 in ?? ()
#7 0x00007ffff5cf5600 in ?? ()
#8 0x00007fffffffc408 in ?? ()
#9 0x0000000000000000 in ?? ()
(gdb)
This bug has existed possibly since prior to m-c rev 1db2ef126a6a, or (GitHub) gh rev 48de8371eacd8be6e794cba9b8849d085edaecf1 (late-Apr 2024).
Run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-compiler=none, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 23185ed855a5.
Ryan/Yury, any next steps?
Flags: needinfo?(ydelendik)
Flags: needinfo?(rhunt)
|
Assignee | |
Comment 1•3 months ago
|
||
Looks like it is trying to compile asm.js as wasm code regardless of "--wasm-compiler=none", but we cannot wrap exception using WasmExceptionObject::wrapJSValue. Not really a security issue, since even after this MOZ_ASSERT we continue failing.
Flags: needinfo?(ydelendik)
|
||
Updated•3 months ago
|
Severity: -- → S4
Priority: -- → P3
|
|
Assignee | |
Comment 2•3 months ago
|
||
|
||
Updated•3 months ago
|
Assignee: nobody → ydelendik
Status: NEW → ASSIGNED
Pushed by ydelendik@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/b36d74a3b113
https://hg.mozilla.org/integration/autoland/rev/0458419a779a
Disable asm.js when no Wasm compilers. r=rhunt
|
||
Comment 4•3 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch
|
||
Updated•3 months ago
|
Flags: needinfo?(rhunt)
|
||
Updated•3 months ago
|
QA Whiteboard: [qa-triage-done-c143/b142]
You need to log in
before you can comment on or make changes to this bug.
Description
•