[wasm] Crash [@ js::InlineList<js::jit::MUse>::insertAfterUnchecked]

RESOLVED FIXED in Firefox 47

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla47
x86_64
Linux
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox47 fixed)

Details

(crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

2 years ago
The attached binary WebAssembly testcase crashes on mozilla-central revision 1dbe350b57b1+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests --enable-debug, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==28214==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff05ef2520 at pc 0x000000c10b0c bp 0x7fff05eea7b0 sp 0x7fff05eea7a8
READ of size 8 at 0x7fff05ef2520 thread T0
    #0 0xc10b0b in js::InlineList<js::jit::MUse>::insertAfterUnchecked(js::InlineListNode<js::jit::MUse>*, js::InlineListNode<js::jit::MUse>*) js/src/jit/InlineList.h:344:43
    #1 0xc10b0b in js::InlineList<js::jit::MUse>::pushFrontUnchecked(js::InlineListNode<js::jit::MUse>*) js/src/jit/InlineList.h:301
    #2 0xc10b0b in js::jit::MDefinition::addUseUnchecked(js::jit::MUse*) js/src/jit/MIR.h:756
    #3 0xfc1160 in js::jit::MUse::initUnchecked(js::jit::MDefinition*, js::jit::MNode*) js/src/jit/MIR.h:14174:5
    #4 0xfc1160 in js::jit::MVariadicT<js::jit::MInstruction>::initOperand(unsigned long, js::jit::MDefinition*) js/src/jit/MIR.h:1207
    #5 0xfc1160 in js::jit::MAsmJSCall::New(js::jit::TempAllocator&, js::wasm::CallSiteDesc const&, js::jit::MAsmJSCall::Callee, mozilla::Vector<js::jit::MAsmJSCall::Arg, 8ul, js::SystemAllocPolicy> const&, js::jit::MIRType, unsigned long) js/src/jit/MIR.cpp:4973
    #6 0x24984cb in FunctionCompiler::callPrivate(js::jit::MAsmJSCall::Callee, FunctionCompiler::Call const&, js::wasm::ExprType, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:729:27
    #7 0x247985a in FunctionCompiler::builtinCall(js::wasm::SymbolicAddress, FunctionCompiler::Call const&, js::wasm::ValType, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:778:16
    #8 0x247985a in EmitF32MathBuiltinCall(FunctionCompiler&, js::wasm::Expr, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1644
    #9 0x247985a in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2805
    #10 0x2466f5a in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3001:18
    #11 0x2443215 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:529:14
    #12 0x241a8f3 in DecodeFunc(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:863:12
    #13 0x241a8f3 in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:886
    #14 0x241a8f3 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1013
    #15 0x2412690 in WasmEval(JSContext*, unsigned int, JS::Value*) js/src/asmjs/Wasm.cpp:1171:10
    #16 0x1a5cad7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #28 0x53b760 in main js/src/shell/js.cpp:7056
    #29 0x7f9274a51ec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #30 0x489c10 in _start (js/src/debug64afl/js/src/shell/js+0x489c10)

Address 0x7fff05ef2520 is located in stack of thread T0 at offset 5056 in frame
    #0 0x1a8bb0f in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:1511

HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)

Shadow bytes around the buggy address:
  0x100060bd6450: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x100060bd6460: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x100060bd6470: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f2
  0x100060bd6480: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 f2 f2
  0x100060bd6490: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 01 f2 04 f2
=>0x100060bd64a0: 04 f2 04 f2[04]f2 04 f2 04 f2 01 f2 01 f2 01 f2
  0x100060bd64b0: 04 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2
  0x100060bd64c0: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x100060bd64d0: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f2
  0x100060bd64e0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100060bd64f0: 00 f2 f2 f2 00 f2 f2 f2 01 f2 00 f2 f2 f2 01 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Stack mid redzone:       f2


In a previous build, this test also triggered some assertion, but now ASan aborts earlier it seems.
(Reporter)

Comment 1

2 years ago
Created attachment 8716565 [details]
Testcase
(Reporter)

Comment 2

2 years ago
I assume there's some kind of memory corruption going on because the same file now also gives me other crash signatures.
(Assignee)

Comment 3

2 years ago
Created attachment 8716884 [details] [diff] [review]
decodeunary.patch

A simple typo in DecodeUnary.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8716884 - Flags: review?(sunfish)
(Assignee)

Comment 4

2 years ago
Created attachment 8716886 [details] [diff] [review]
decodeunary.patch

Better patch (assigns nullptr when ::nop is emitted, so that we'd have had a nice assertion failure here, not a crash in random memory).
Attachment #8716884 - Attachment is obsolete: true
Attachment #8716884 - Flags: review?(sunfish)
Attachment #8716886 - Flags: review?(sunfish)
Comment on attachment 8716886 [details] [diff] [review]
decodeunary.patch

Review of attachment 8716886 [details] [diff] [review]:
-----------------------------------------------------------------

Ah, right.
Attachment #8716886 - Flags: review?(sunfish) → review+
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1246935

Comment 8

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/2c4cc4d1ac2e
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox47: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
You need to log in before you can comment on or make changes to this bug.