Closed
Bug 1256637
Opened 8 years ago
Closed 8 years ago
[wasm] Crash [@ bool js::jit::MDefinition::is<js::jit::MPhi>] with stack out-of-bounds read
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
|
212 bytes,
application/octet-stream
|
Details | |
|
1.78 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision f788142ec96f+ (build with --enable-gczeal --enable-optimize --enable-debug --enable-address-sanitizer --without-intl-api --enable-posix-nspr-emulation --disable-jemalloc --disable-tests --enable-debug). To reproduce, you can run the following code in the JS shell:
var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));
Backtrace:
==31069==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff12fb7ff8 at pc 0x000000700fd1 bp 0x7fff12fac070 sp 0x7fff12fac068
READ of size 8 at 0x7fff12fb7ff8 thread T0
#0 0x700fd0 in bool js::jit::MDefinition::is<js::jit::MPhi>() const js/src/jit/MIR.h:830:16
#1 0x700fd0 in js::jit::MPhi* js::jit::MDefinition::to<js::jit::MPhi>() js/src/jit/MIR.h:833
#2 0x700fd0 in js::jit::MDefinition::toPhi() js/src/jit/MIR.h:850
#3 0x700fd0 in FunctionCompiler::setLoopBackedge(js::jit::MBasicBlock*, js::jit::MBasicBlock*, js::jit::MBasicBlock*, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1084
#4 0x6ff9c2 in FunctionCompiler::closeLoop(js::jit::MBasicBlock*, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1147:18
#5 0x6e5369 in EmitLoop(FunctionCompiler&, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:2503:12
#6 0x6e5369 in EmitExpr(FunctionCompiler&, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:2703
#7 0x6f5c3b in EmitHeapAddress(FunctionCompiler&, js::jit::MDefinition**, js::jit::MAsmJSHeapAccess*) js/src/asmjs/WasmIonCompile.cpp:1433:10
#8 0x6d0bc4 in EmitLoad(FunctionCompiler&, js::Scalar::Type, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:1461:10
#9 0x6d0bc4 in EmitExpr(FunctionCompiler&, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:2786
#10 0x6da17e in EmitBlock(FunctionCompiler&, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:2646:18
#11 0x6da17e in EmitExpr(FunctionCompiler&, js::jit::MDefinition**) js/src/asmjs/WasmIonCompile.cpp:2698
#12 0x6cbf91 in js::wasm::IonCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3100:18
#13 0x692aa5 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:815:14
#14 0x628371 in DecodeFunctionBody(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/Wasm.cpp:1313:12
#15 0x628371 in DecodeFunctionBodies(JSContext*, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/Wasm.cpp:1341
#16 0x628371 in DecodeModule(JSContext*, mozilla::UniquePtr<char [], JS::FreePolicy>, unsigned char const*, unsigned int, mozilla::Vector<ImportName, 0ul, js::SystemAllocPolicy>*, mozilla::UniquePtr<js::wasm::ExportMap, JS::DeletePolicy<js::wasm::ExportMap> >*, JS::MutableHandle<js::ArrayBufferObject*>, JS::MutableHandle<js::WasmModuleObject*>) js/src/asmjs/Wasm.cpp:1440
#17 0x61b4cd in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<JSObject*>) js/src/asmjs/Wasm.cpp:1597:10
#18 0x593394 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5104:14
[...]
#31 0x460451 in _start (/home/ubuntu/build/build/js+0x460451)
Address 0x7fff12fb7ff8 is located in stack of thread T0 at offset 312 in frame
#0 0x592a9f in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5065
This frame has 8 object(s):
[32, 56) 'callee'
[96, 120) 'importObj'
[160, 184) 'givenPath'
[224, 248) 'str'
[288, 304) 'filename'
[320, 344) 'ret' <== Memory access at offset 312 underflows this variable
[384, 408) 'typedArray'
[448, 472) 'exportObj'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow js/src/jit/MIR.h:830:16 in bool js::jit::MDefinition::is<js::jit::MPhi>() const
Shadow bytes around the buggy address:
0x1000625eefc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000625eefd0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2
0x1000625eefe0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2
=>0x1000625eeff0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 f2[f2]
0x1000625ef000: 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2
0x1000625ef010: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x1000625ef020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
==31069==ABORTING
|
Reporter | |
Comment 1•8 years ago
|
||
|
Assignee | |
Comment 2•8 years ago
|
||
When returning early from EmitBrTable, def might be unassigned. Fantastic test case!
|
||
Updated•8 years ago
|
Attachment #8730794 -
Flags: review?(luke) → review+
|
||
Comment 5•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/4e843fe5f203
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•