Closed
Bug 1977469
Opened 3 months ago
Closed 3 months ago
Assertion failure: cx->isExceptionPending() || cx->isPropagatingForcedReturn() || cx->hadUncatchableException(), at vm/Interpreter.cpp:402
Categories
(Core :: JavaScript: WebAssembly, defect, P1)
Tracking
()
RESOLVED
FIXED
143 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | unaffected |
| firefox-esr140 | --- | wontfix |
| firefox140 | --- | wontfix |
| firefox141 | --- | wontfix |
| firefox142 | --- | wontfix |
| firefox143 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
BigInt64Array.importedStringConstants = 0;
function f() {
new WebAssembly.Module(
wasmTextToBinary(
"(type $a (array (mut i32)))(func (param i32)(result eqref) local.get 0 array.new_default $a)",
),
BigInt64Array,
);
oomTest(f);
}
f();
(gdb) bt
#0 0x00005555572ae7c9 in MOZ_CrashSequence (aAddress=0x0, aLine=402) at /home/msf2/shell-cache/js-dbg-64-linux-x86_64-8b4dd515e78c/objdir-js/dist/include/mozilla/Assertions.h:248
#1 AssertExceptionResult (cx=cx@entry=0x7ffff5e2a200) at /home/msf2/trees/mozilla-central/js/src/vm/Interpreter.cpp:401
#2 0x00005555572d516f in CallJSNative (cx=cx@entry=0x7ffff5e2a200, native=native@entry=0x555558763e80 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>,
reason=reason@entry=js::CallReason::Call, args=...) at /home/msf2/trees/mozilla-central/js/src/vm/Interpreter.cpp:506
#3 0x00005555572ddbcd in CallJSNativeConstructor (cx=cx@entry=0x7ffff5e2a200, native=0x555558763e80 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...)
at /home/msf2/trees/mozilla-central/js/src/vm/Interpreter.cpp:519
#4 0x00005555572b027a in InternalConstruct (cx=cx@entry=0x7ffff5e2a200, args=..., reason=reason@entry=js::CallReason::Call)
at /home/msf2/trees/mozilla-central/js/src/vm/Interpreter.cpp:725
#5 0x00005555572bebfd in js::ConstructFromStack (cx=0x7ffff5e2a200, args=..., reason=<optimized out>) at /home/msf2/trees/mozilla-central/js/src/vm/Interpreter.cpp:772
/snip
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/b3e3e654d030
user: Ryan Hunt
date: Tue Nov 19 16:14:04 2024 +0000
summary: Bug 1913964 - wasm: Ship js-string-builtins. r=bvisness,yury
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 8b4dd515e78c.
Ryan, is bug 1913964 a likely regressor?
Flags: sec-bounty?
Flags: needinfo?(rhunt)
|
||
Comment 1•3 months ago
|
||
Set release status flags based on info from the regressing bug 1913964
status-firefox140:
--- → affected
status-firefox141:
--- → affected
status-firefox-esr128:
--- → unaffected
status-firefox-esr140:
--- → affected
|
Reporter | |
Comment 2•3 months ago
|
||
Run with --setpref=wasm_js_string_builtins=true and bisection points to:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/de8b96102f94
user: Jan de Mooij
date: Tue Oct 01 11:02:38 2024 +0000
summary: Bug 1921780 - Improve exception handling assertions in the JS shell. r=arai
|
||
Updated•3 months ago
|
Group: core-security → javascript-core-security
|
||
Updated•3 months ago
|
|
||
Comment 3•3 months ago
|
||
None of the regressions from bug 1921780 so far have been considered security problems.
|
|
||
Updated•3 months ago
|
Flags: needinfo?(rhunt) → needinfo?(jdemooij)
|
Assignee | |
Comment 4•3 months ago
|
||
An OOM buglet in FeatureOptions::init.
Assignee: nobody → jdemooij
Group: javascript-core-security
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 5•3 months ago
|
||
|
||
Updated•3 months ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by jdemooij@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/641061404fec
https://hg.mozilla.org/integration/autoland/rev/412f16d74ce9
Use cx->new_ in FeatureOptions::init to ensure OOM is reported on the context. r=rhunt
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox143:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
|
|
||
Comment 8•3 months ago
|
||
The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox142towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Updated•3 months ago
|
Flags: needinfo?(jdemooij)
|
||
Updated•3 months ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•3 months ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•