1285927 - Assertion failure: global->as<GlobalObject>().getPrototype(Class::KEY).isUndefined(), at js/src/asmjs/WasmJS.cpp:644

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1bee8d2da23e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --thread-count=2 --arm-asm-nop-fill=1):

oomTest(function() {
    var lfGlobal = newGlobal()
    for (lfLocal in this)
        if (lfLocal) try {}
    catch (lfVare5) {
        fuzzutils.print(+lfVare5)
    }
})


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x084255b2 in InitConstructor<js::WasmMemoryObject> (name=<optimized out>, native=<optimized out>, wasm=..., global=..., cx=<optimized out>) at js/src/asmjs/WasmJS.cpp:644
#0  0x084255b2 in InitConstructor<js::WasmMemoryObject> (name=<optimized out>, native=<optimized out>, wasm=..., global=..., cx=<optimized out>) at js/src/asmjs/WasmJS.cpp:644
#1  js::InitWebAssemblyClass (cx=0xf7948000, global=...) at js/src/asmjs/WasmJS.cpp:687
#2  0x086adea1 in js::GlobalObject::resolveConstructor (cx=0xf7948000, global=..., key=JSProto_WebAssembly) at js/src/vm/GlobalObject.cpp:172
#3  0x086af2c7 in js::GlobalObject::ensureConstructor (key=JSProto_WebAssembly, global=..., cx=0xf7948000) at js/src/vm/GlobalObject.cpp:125
#4  js::GlobalObject::initStandardClasses (cx=0xf7948000, global=...) at js/src/vm/GlobalObject.cpp:425
#5  0x084ec7c2 in JS_EnumerateStandardClasses (cx=0xf7948000, obj=...) at js/src/jsapi.cpp:1096
#6  0x080813ed in global_enumerate (cx=0xf7948000, obj=...) at js/src/shell/js.cpp:6093
#7  0x0853f3c1 in Snapshot (cx=cx@entry=0xf7948000, pobj_=..., pobj_@entry=..., flags=flags@entry=1, props=0xffffb738) at js/src/jsiter.cpp:387
#8  0x08558fdc in js::GetIterator (cx=0xf7948000, obj=..., flags=1, objp=...) at js/src/jsiter.cpp:920
#9  0x08559700 in js::ValueToIterator (cx=0xf7948000, flags=1, vp=...) at js/src/jsiter.cpp:1205
#10 0x084a8067 in js::jit::Simulator::softwareInterrupt (this=0xf7927000, instr=0xf5442404) at js/src/jit/arm/Simulator-arm.cpp:2395
[...]
#16 0x081e72a7 in EnterBaseline (cx=cx@entry=0xf7948000, data=...) at js/src/jit/BaselineJIT.cpp:156
#17 0x081f58ef in js::jit::EnterBaselineMethod (cx=0xf7948000, state=...) at js/src/jit/BaselineJIT.cpp:194
#18 0x086bd230 in js::RunScript (cx=0xf7948000, state=...) at js/src/vm/Interpreter.cpp:389
#19 0x086bd57e in js::InternalCallOrConstruct (cx=0xf7948000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:471
#20 0x086bd7cd in InternalCall (cx=cx@entry=0xf7948000, args=...) at js/src/vm/Interpreter.cpp:498
#21 0x086bd95b in js::Call (cx=0xf7948000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:517
#22 0x08504265 in JS_CallFunction (cx=0xf7948000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2798
#23 0x08862993 in OOMTest (cx=0xf7948000, argc=1, vp=0xf5355058) at js/src/builtin/TestingFunctions.cpp:1360
[...]
#38 main (argc=5, argv=0xffffcc44, envp=0xffffcc5c) at js/src/shell/js.cpp:7518
eax	0x0	0
ebx	0x8baeff4	146468852
ecx	0xf7d9c864	-136722332
edx	0x0	0
esi	0xf7948000	-141262848
edi	0xffffb390	-19568
ebp	0xffffb408	4294947848
esp	0xffffb340	4294947648
eip	0x84255b2 <js::InitWebAssemblyClass(JSContext*, JS::Handle<JSObject*>)+2850>
=> 0x84255b2 <js::InitWebAssemblyClass(JSContext*, JS::Handle<JSObject*>)+2850>:	movl   $0x0,0x0
   0x84255bc <js::InitWebAssemblyClass(JSContext*, JS::Handle<JSObject*>)+2860>:	ud2

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

In InitConstructor, if we return false (e.g. because of an OOM) between the call to 

global->as<GlobalObject>().setPrototype(Class::KEY, ObjectValue(*proto));

and the end of the function, then the next time we'll call InitConstructor for the same class, we'll have a prototype already!

Should we just remove the assertion, or set the prototype only in the success path (at the end of the function, after the final DefineProperty call)?

Comment 3

[Luke Wagner [:luke]]

Thanks for looking into this!  Ah, so the root of the bug is that, even after we fail due to OOM, we don't tear down the whole global, so the init operations must be atomic (all-or-nothing).  Yes, that suggests doing any updates to the global at the end.

Comment 4

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: 1.success-path.patch

This does what's said in previous comment. Not adding the test because it only triggers under an ARM simualtor build with --arm-asm-nop-fill=1 on my machine.

Comment 5

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: 2.strongly-assert-no-errors.patch

Drive-by change to unhide some potential decoding bugs.

Comment 6

[Luke Wagner [:luke]]

Comment on attachment 8770082 [details] [diff] [review]
2.strongly-assert-no-errors.patch

Review of attachment 8770082 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 7

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1cabd2649c82
Set wasm objects prototype only in the success path; r=luke
https://hg.mozilla.org/integration/mozilla-inbound/rev/430b90bebb96
Strongly assert that there is no unhandled error in wasm decoding; r=luke

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/1cabd2649c82
https://hg.mozilla.org/mozilla-central/rev/430b90bebb96