Closed Bug 1302409 Opened 3 years ago Closed 3 years ago

Crash [@ ??] with asm.js and wasm test mode

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: decoder, Assigned: luke)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on mozilla-central revision cfdb7af3af2e (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

const USE_ASM = '"use asm";';
function asmCompile() {
    var f = Function.apply(null, arguments);
    return f;
}
try {} catch (e) {}
setJitCompilerOption('wasm.test-mode', 1);
var loadModule_uint16_code = USE_ASM + `
    var atomic_add = stdlib.Atomics.add;
    var i16a = new stdlib.Uint16Array(heap);
    function do_load() {
    }
    function do_add_i(i) {
        i = i|0;
        var v = 0;
        v = atomic_add(i16a, i>>1, 37);
    }
    function do_cas2_i(i) {
        i = i|0;
    }
    return { load: do_load,
        add_i: do_add_i,
        cas2_i: do_cas2_i };
`;
var loadModule_uint16 = asmCompile('stdlib', 'foreign', 'heap', loadModule_uint16_code);
function test_uint16(heap) {
    var i16m = loadModule_uint16(this, {}, heap);
    assertEq(i16m.add_i(("-1" - 1) * 2), 37);
}
var heap = new SharedArrayBuffer(65536);
test_uint16(heap);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x00007ffff7ff40d1 in ?? ()
#0  0x00007ffff7ff40d1 in ?? ()
#1  0x0000000000000000 in ?? ()
rax	0x7ffff7ff4152	140737354088786
rbx	0x7ffff695f000	140737330409472
rcx	0x1ff00	130816
rdx	0x7ffff7ff4000	140737354088448
rsi	0x7ffff03d2cd0	140737223929040
rdi	0xfffffffc	4294967292
rbp	0x7fffffffcc10	140737488342032
rsp	0x7fffffffc6f0	140737488340720
r8	0x1	1
r9	0x3	3
r10	0x7fffffffc8d8	140737488341208
r11	0x7ffff69eee60	140737330998880
r12	0x7fffffffc810	140737488341008
r13	0x7ffff69eeec0	140737330998976
r14	0x7ffff03d2cd0	140737223929040
r15	0x7fff6fcf0000	140735069224960
rip	0x7ffff7ff40d1	140737354088657
=> 0x7ffff7ff40d1:	lock addw $0x25,(%r15,%rdi,1)
   0x7ffff7ff40d9:	xchg   %ax,%ax


Locking this one s-s but I assume wasm test- mode is something not enabled in release builds?
Not s-s, we're hitting the unaligned guard page and the kernel is sending SI_KERNEL as the si_code instead of the normal SI_SEGVACCERR/SI_ADRALN (probably because this is a locked access so maybe it traps into the kernel).  But it reliably crashes and I think the fix is just to remove the si_code checks.
Group: javascript-core-security
Attached patch rm-si_code-assert (obsolete) — Splinter Review
Rather than add an #ifdef SI_KERNEL exception for SI_KERNEL, I think we can just remove these extra checks: they're not protecting us against anything I know of given the other filters we have; they were just "because we can".
Assignee: nobody → luke
Status: NEW → ASSIGNED
Attachment #8790717 - Flags: review?(bbouvier)
Actually, some automation machines (I'm guessing VMs) also return SI_KERNEL but with faultingAddress == null, so this patch adds a special case.  Thankfully, we no longer care what the address is for asm.js/SAB because we simply redirect to OOB; this is just for extra checking.
Attachment #8790717 - Attachment is obsolete: true
Attachment #8790717 - Flags: review?(bbouvier)
Attachment #8790967 - Flags: review?(bbouvier)
Comment on attachment 8790967 [details] [diff] [review]
rm-si_code-assert

Review of attachment 8790967 [details] [diff] [review]:
-----------------------------------------------------------------

Oh boy.
Attachment #8790967 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a8384642fc3e
Baldr: handle Linux si_code == SI_KERNEL corner case in out-of-bounds signal handler (r=bbouvier)
https://hg.mozilla.org/mozilla-central/rev/a8384642fc3e
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.