1236541 - Crash [@ ??] with ASM.js and invalid jump

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision d7a0ad85d9fb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

const USE_ASM = '"use asm";';
function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}
function asmLink(f) {
    var ret = f.apply(null, Array.slice(arguments, 1));
    return ret;
}
enableSPSProfiling();
function FunctionBody(f) {
    str = f.toString()
    firstBrace = str.indexOf('{')
    lastBrace = str.lastIndexOf('}')
    return str.substr(firstBrace + 1, lastBrace - firstBrace - 1)
}
F = function () {
    function f(i0, d1) {
        i0 = i0 | 0
        d1 = +d1
        switch (0) {
            case 0:
        }
    }
    return f;
}
compiled = asmCompile(USE_ASM + FunctionBody(F))
asmLink(compiled)()
asmLink(compiled)()



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fdd03b in ?? ()
#0  0x00007ffff7fdd03b in ?? ()
#1  0x0000000000000000 in ?? ()
rax	0x7ffff7fdd000	140737353994240
rbx	0x7fffffffc860	140737488341088
rcx	0x0	0
rdx	0x0	0
rsi	0x7ffff7fde000	140737353998336
rdi	0x0	0
rbp	0x7fffffffc920	140737488341280
rsp	0x7fffffffc710	140737488340752
r8	0x1	1
r9	0xfffbffffffffffff	-1125899906842625
r10	0x7fffffffc7e0	140737488340960
r11	0x7ffff310e400	140737271358464
r12	0x7fffffffc860	140737488341088
r13	0x7ffff69887f0	140737330579440
r14	0x7ffff6907800	140737330051072
r15	0x7ffff69a5080	140737330696320
rip	0x7ffff7fdd03b	140737353994299
=> 0x7ffff7fdd03b:	jmpq   *(%rax,%rdx,8)
   0x7ffff7fdd03e:	jmp    0x7ffff7fdd045


The test seems to require profiling but I don't know what's going on here and an invalid jump doesn't sound nice, so marking s-s for now.

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Reduced test case:


enableSPSProfiling();

function mod() {
    "use asm";
    function f(i0, d1) {
        i0 = i0 | 0
        d1 = +d1
        switch (0) {
            case 0:
        }
    }
    return f;
}

mod()();
mod()();

Comment 2

[Luke Wagner [:luke]]

Attachment: fix-statically-link

Thanks a lot for the reduced and further-reduced testcases!  The bug is that the entries in the tableswitch have InternalLinks and these were being mistaken for calls and repointed to the prologue by Module::staticallyLink.  There was an extra conjunct that guarded against this before the refactoring in bug 1229642 but it seems I accidentally dropped this.

Comment 3

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8703808 [details] [diff] [review]
fix-statically-link

Review of attachment 8703808 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks.

Comment 4

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/5f25108ed130
user:        Luke Wagner
date:        Mon Dec 28 17:39:21 2015 -0600
summary:     Bug 1229642 - Split wasm::Module out of AsmJSModule (r=bbouvier)

This iteration took 220.272 seconds to run.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/ecdedae832f1

Comment 6

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.