Closed Bug 1246331 Opened 8 years ago Closed 8 years ago

[wasm] Crash [@ js::InlineList<js::jit::MUse>::insertAfterUnchecked]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

Testcase
54 bytes, application/octet-stream
Details
decodeunary.patch
4.13 KB, patch
sunfish
: review+
Details | Diff | Splinter Review 
The attached binary WebAssembly testcase crashes on mozilla-central revision 1dbe350b57b1+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests --enable-debug, run with ). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
wasmEval(data.buffer);


Backtrace:

==28214==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff05ef2520 at pc 0x000000c10b0c bp 0x7fff05eea7b0 sp 0x7fff05eea7a8
READ of size 8 at 0x7fff05ef2520 thread T0
    #0 0xc10b0b in js::InlineList<js::jit::MUse>::insertAfterUnchecked(js::InlineListNode<js::jit::MUse>*, js::InlineListNode<js::jit::MUse>*) js/src/jit/InlineList.h:344:43
    #1 0xc10b0b in js::InlineList<js::jit::MUse>::pushFrontUnchecked(js::InlineListNode<js::jit::MUse>*) js/src/jit/InlineList.h:301
    #2 0xc10b0b in js::jit::MDefinition::addUseUnchecked(js::jit::MUse*) js/src/jit/MIR.h:756
    #3 0xfc1160 in js::jit::MUse::initUnchecked(js::jit::MDefinition*, js::jit::MNode*) js/src/jit/MIR.h:14174:5
    #4 0xfc1160 in js::jit::MVariadicT<js::jit::MInstruction>::initOperand(unsigned long, js::jit::MDefinition*) js/src/jit/MIR.h:1207
    #5 0xfc1160 in js::jit::MAsmJSCall::New(js::jit::TempAllocator&, js::wasm::CallSiteDesc const&, js::jit::MAsmJSCall::Callee, mozilla::Vector<js::jit::MAsmJSCall::Arg, 8ul, js::SystemAllocPolicy> const&, js::jit::MIRType, unsigned long) js/src/jit/MIR.cpp:4973
    #6 0x24984cb in FunctionCompiler::callPrivate(js::jit::MAsmJSCall::Callee, FunctionCompiler::Call const&, js::wasm::ExprType, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:729:27
    #7 0x247985a in FunctionCompiler::builtinCall(js::wasm::SymbolicAddress, FunctionCompiler::Call const&, js::wasm::ValType, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:778:16
    #8 0x247985a in EmitF32MathBuiltinCall(FunctionCompiler&, js::wasm::Expr, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1644
    #9 0x247985a in EmitExpr(FunctionCompiler&, js::wasm::ExprType, js::jit::MDefinition**, mozilla::Vector<unsigned long, 1ul, js::SystemAllocPolicy>*) js/src/asmjs/WasmIonCompile.cpp:2805
    #10 0x2466f5a in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3001:18
    #11 0x2443215 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:529:14
    #12 0x241a8f3 in DecodeFunc(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:863:12
    #13 0x241a8f3 in DecodeCodeSection(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:886
    #14 0x241a8f3 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1013
    #15 0x2412690 in WasmEval(JSContext*, unsigned int, JS::Value*) js/src/asmjs/Wasm.cpp:1171:10
    #16 0x1a5cad7 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:235:15
[...]
    #28 0x53b760 in main js/src/shell/js.cpp:7056
    #29 0x7f9274a51ec4  (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #30 0x489c10 in _start (js/src/debug64afl/js/src/shell/js+0x489c10)

Address 0x7fff05ef2520 is located in stack of thread T0 at offset 5056 in frame
    #0 0x1a8bb0f in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:1511

HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)

Shadow bytes around the buggy address:
  0x100060bd6450: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x100060bd6460: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
  0x100060bd6470: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f2
  0x100060bd6480: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 f2 f2
  0x100060bd6490: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 01 f2 04 f2
=>0x100060bd64a0: 04 f2 04 f2[04]f2 04 f2 04 f2 01 f2 01 f2 01 f2
  0x100060bd64b0: 04 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2
  0x100060bd64c0: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x100060bd64d0: 00 00 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 f2
  0x100060bd64e0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x100060bd64f0: 00 f2 f2 f2 00 f2 f2 f2 01 f2 00 f2 f2 f2 01 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Stack mid redzone:       f2


In a previous build, this test also triggered some assertion, but now ASan aborts earlier it seems.
Attached file Testcase 

    
    

    
  
I assume there's some kind of memory corruption going on because the same file now also gives me other crash signatures.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        decodeunary.patch (obsolete)
        — Splinter Review
      

    


  
A simple typo in DecodeUnary.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED

        Attachment #8716884 -
        Flags: review?(sunfish)

    
    

    
  


  
Better patch (assigns nullptr when ::nop is emitted, so that we'd have had a nice assertion failure here, not a crash in random memory).

        Attachment #8716884 -
        Attachment is obsolete: true

        Attachment #8716884 -
        Flags: review?(sunfish)

        Attachment #8716886 -
        Flags: review?(sunfish)

    
    

    
  
Comment on attachment 8716886 [details] [diff] [review]
decodeunary.patch

Review of attachment 8716886 [details] [diff] [review]:
-----------------------------------------------------------------

Ah, right.

        Attachment #8716886 -
        Flags: review?(sunfish) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2c4cc4d1ac2e
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox47:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: