Closed Bug 1289080 Opened 3 years ago Closed 3 years ago

[wasm] Assertion failure: aIndex < mLength, at dist/include/mozilla/Vector.h:465

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision 07322a610cf8+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell (running with --wasm-always-baseline might be necessary):

var data = os.file.readFile(file, 'binary');
Wasm.instantiateModule(new Uint8Array(data.buffer));



Backtrace:

==17674==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000297e3ed bp 0x7ffc0bf046f0 sp 0x7ffc0bf046e0 T0)
    #0 0x297e3ec in mozilla::Vector<js::wasm::TableDesc, 0ul, js::SystemAllocPolicy>::operator[](unsigned long) const dist/include/mozilla/Vector.h:464:5
    #1 0x2b934de in js::wasm::BaseCompiler::emitCallIndirect(unsigned int) js/src/asmjs/WasmBaselineCompile.cpp:5186:32
    #2 0x2ba3cf3 in js::wasm::BaseCompiler::emitBody() js/src/asmjs/WasmBaselineCompile.cpp:6005:13
    #3 0x2bac691 in js::wasm::BaseCompiler::emitFunction() js/src/asmjs/WasmBaselineCompile.cpp:6511:10
    #4 0x2bafa7f in js::wasm::BaselineCompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmBaselineCompile.cpp:6753:10
    #5 0x2a1da4a in js::wasm::CompileFunction(js::wasm::IonCompileTask*) js/src/asmjs/WasmIonCompile.cpp:3408:16
    #6 0x29a78b0 in js::wasm::ModuleGenerator::finishFuncDef(unsigned int, js::wasm::FunctionGenerator*) js/src/asmjs/WasmGenerator.cpp:837:14
    #7 0x29501bf in DecodeFunctionBody(js::wasm::Decoder&, js::wasm::ModuleGenerator&, unsigned int) js/src/asmjs/WasmCompile.cpp:1103:12
    #8 0x29501bf in DecodeCodeSection(js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/asmjs/WasmCompile.cpp:1164
    #9 0x29501bf in js::wasm::Compile(js::wasm::ShareableBytes const&, js::wasm::CompileArgs&&, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/asmjs/WasmCompile.cpp:1445
    #10 0x64619a in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/asmjs/WasmJS.cpp:175:27
    #11 0x5a00ce in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:5270:14
    #12 0x1dac4bd in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15
[...]
    #25 0x463a78 in _start (/home/ubuntu/build/build/js+0x463a78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dist/include/mozilla/Vector.h:464:5 in mozilla::Vector<js::wasm::TableDesc, 0ul, js::SystemAllocPolicy>::operator[](unsigned long) const
==17674==ABORTING


This is happening very frequently, marking as fuzzblocker.
Attached file Testcase
Simple but efficient test case: one shouldn't be able to call_indirect when there's no table. Found a supplementary case where we can trigger the same kind of issue. I'm on it.
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8774330 - Flags: review?(luke)
Comment on attachment 8774330 [details] [diff] [review]
canttouchthis.patch

Review of attachment 8774330 [details] [diff] [review]:
-----------------------------------------------------------------

whoa, good catch!
Attachment #8774330 - Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/387964e7a8eb
Don't allow call_indirect without a table and memory accesses without memory; r=luke
https://hg.mozilla.org/mozilla-central/rev/387964e7a8eb
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.