1263902 - Crash [@ __strlen_sse2_bsf] with OOM and asm.js

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off):

lfLogBuffer = `
buf = new ArrayBuffer(4096)
function ffi() {}
function FFI1(glob, imp, b) {
    "use asm"
    var f32=new glob.Float32Array(b);
    var f64=new glob.Float64Array(b);
    var ffi=imp.ffi;
    function g() {
      ffi(+f64[0]);
    }
    return g;
}
g = FFI1(this, {ffi}, buf)
for (i of a) 
    for (j of a) {
        u32 = i;
    }
`.split('\n')
lfCodeBuffer = "";
while (true) {
    line = lfLogBuffer.shift()
    if (line == null) break;
    lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer)
function loadFile(lfVarx) {
   oomTest(function() {
       eval(lfVarx)
   })
} 



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#0  __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1  0x085619f1 in js::ExpandErrorArgumentsVA (cx=cx@entry=0xf7a77020, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, messagep=messagep@entry=0xffffa090, reportp=reportp@entry=0xffffa0a0, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=0xffffa138 "\360\004\227\365\315\006\032\b", ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:616
#2  0x08561c6a in js::ReportErrorNumberVA (cx=0xf7a77020, flags=flags@entry=1, callback=callback@entry=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274, argumentsType=argumentsType@entry=js::ArgumentsAreASCII, ap=ap@entry=0xffffa134 "") at js/src/jscntxt.cpp:752
#3  0x08563464 in JS_ReportErrorFlagsAndNumber (cx=cx@entry=0xf7a77020, flags=flags@entry=1, errorCallback=0x8546240 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=274) at js/src/jsapi.cpp:5582
#4  0x081dc9a7 in LinkFail (str=0x0, cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7028
#5  CheckBuffer (buffer=..., bufferVal=..., module=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7434
#6  DynamicallyLinkModule (exportObj=..., moduleObj=..., args=..., cx=0xf7a77020) at js/src/asmjs/AsmJS.cpp:7464
#7  LinkAsmJS (cx=0xf7a77020, argc=3, vp=0xf5625120) at js/src/asmjs/AsmJS.cpp:7626
#8  0x0871e30a in js::CallJSNative (cx=0xf7a77020, native=0x81db3f0 <LinkAsmJS(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#9  0x0871a79d in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
#10 0x0870a38a in Interpret (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:2807
#11 0x0871a51f in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:426
#12 0x0871d30d in js::ExecuteKernel (cx=cx@entry=0xf7a77020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=0xffffaf88) at js/src/vm/Interpreter.cpp:682
#13 0x084c5d2b in EvalKernel (cx=cx@entry=0xf7a77020, args=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., scopeobj=..., scopeobj@entry=..., pc=0xf5750769 "{") at js/src/builtin/Eval.cpp:332
#14 0x084c6732 in js::DirectEval (cx=cx@entry=0xf7a77020, args=...) at js/src/builtin/Eval.cpp:439
#15 0x08280335 in js::jit::DoCallFallback (cx=0xf7a77020, frame=0xffffafc8, stub_=0xf7aaa0b0, argc=1, vp=0xffffaf88, res=...) at js/src/jit/BaselineIC.cpp:6100
#16 0xf7fcedce in ?? ()
#17 0xf7aaa0b0 in ?? ()
#18 0xf7fc8c5c in ?? ()
#19 0x0825cd1a in EnterBaseline (cx=0xf7aaa0b0, cx@entry=0xf7a77020, data=...) at js/src/jit/BaselineJIT.cpp:150
#20 0x0827ab9e in js::jit::EnterBaselineMethod (cx=cx@entry=0xf7a77020, state=...) at js/src/jit/BaselineJIT.cpp:188
#21 0x0871a5bb in js::RunScript (cx=cx@entry=0xf7a77020, state=...) at js/src/vm/Interpreter.cpp:416
#22 0x0871a7fa in js::Invoke (cx=0xf7a77020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:494
#23 0x0871bf4a in js::Invoke (cx=cx@entry=0xf7a77020, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=rval@entry=...) at js/src/vm/Interpreter.cpp:528
#24 0x08556d30 in JS_CallFunction (cx=cx@entry=0xf7a77020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2865
#25 0x0886737b in OOMTest (cx=0xf7a77020, argc=1, vp=0xf56250b8) at js/src/builtin/TestingFunctions.cpp:1311
[...]
#47 main (argc=5, argv=0xffffcc24, envp=0xffffcc3c) at js/src/shell/js.cpp:7443
eax	0x0	0
ebx	0x98a9314	160076564
ecx	0x0	0
edx	0x0	0
esi	0x0	0
edi	0x0	0
ebp	0xffffa068	4294942824
esp	0xffff9fa4	4294942628
eip	0xf7d11e86 <__strlen_sse2_bsf+22>
=> 0xf7d11e86 <__strlen_sse2_bsf+22>:	movdqu (%edi),%xmm1
   0xf7d11e8a <__strlen_sse2_bsf+26>:	pcmpeqb %xmm1,%xmm0

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a196bd265eab
user:        Lars T Hansen
date:        Mon Nov 02 09:07:47 2015 +0100
summary:     Bug 1218643 - remove support for deprecated asm.js heap length.  r=luke

This iteration took 328.457 seconds to run.

Comment 2

[Lars T Hansen [:lth]]

That patch did not introduce the bug, but it changed a constraint so that an existing OOM problem is revealed.  The problem is that if a construction of an error message by JS_smprintf fails for OOM reasons then we start passing a null pointer around.  The problem is not exactly pervasive but this is not the only place it occurs.

Comment 3

[Lars T Hansen [:lth]]

Attachment: check return value from JS_smprintf

Ben, can you look at the AsmJS.cpp changes?  Shu, can you look at the Debugger.cpp changes?  Thx.

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8742353 [details] [diff] [review]
check return value from JS_smprintf

Review of attachment 8742353 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks!

Comment 5

[Lars T Hansen [:lth]]

Attachment: check return value from JS_smprintf

Missed a spot in the JS shell

Comment 6

[Lars T Hansen [:lth]]

Comment on attachment 8742355 [details] [diff] [review]
check return value from JS_smprintf

(Cleaning up my own mess here.)

bbouvier r+'d the AsmJS.cpp bits on the previous patch.

Shu, can you look at the remaining changes to Debugger.cpp and js.cpp?  Thanks.

Comment 7

[Shu-yu Guo [:shu]]

Comment on attachment 8742355 [details] [diff] [review]
check return value from JS_smprintf

Review of attachment 8742355 [details] [diff] [review]:
-----------------------------------------------------------------

Woops, thanks for the fix.

Comment 8

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 67ac40fb8f68).

Comment 9

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Did this somehow land?

Comment 10

[Lars T Hansen [:lth]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #9)
> Did this somehow land?

Not according to hg.mozilla.org.

Note this is 32-bit only.  It was reported on Linux but I've repro'd on Mac OS.

(There was some bug traffic earlier this month re rewriting the printf library, and if that happened & landed it could have affected the OOM condition here.)

Comment 11

[Lars T Hansen [:lth]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/ff00656a1bda864d16795701f976612100bc9baf
Bug 1263902 - check return value from JS_smprintf. r=bbouvier, r=shu

Comment 12

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/ff00656a1bda