1315839 - [wasm] Crash [@ JSObject::getClass] with wasmExtractCode

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 908557c762f7 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off):

lfLogBuffer = `
  var module = new WebAssembly.Module(wasmTextToBinary(\`(module (func ))\`));
  wasmExtractCode(module);
`;
loadFile();
loadFile();
function loadFile()
  oomTest(Function(lfLogBuffer))



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x084eb94d in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#0  0x084eb94d in JSObject::getClass (this=<optimized out>) at js/src/jsobj.h:127
#1  DefinePropertyById (cx=cx@entry=0xf7953000, obj=obj@entry=..., id=..., id@entry=..., value=..., get=..., set=..., attrs=<optimized out>, flags=0) at js/src/jsapi.cpp:2134
#2  0x084ebe49 in DefineProperty (cx=cx@entry=0xf7953000, obj=..., obj@entry=..., name=name@entry=0x8a63aff "begin", value=..., getter=..., setter=..., attrs=1, flags=0) at js/src/jsapi.cpp:2227
#3  0x084ebf67 in JS_DefineProperty (cx=0xf7953000, obj=..., name=0x8a63aff "begin", value=..., attrs=1, getter=0x0, setter=0x0) at js/src/jsapi.cpp:2236
#4  0x088dbc0b in js::wasm::Module::extractCode (this=0xf7931800, cx=0xf7953000, vp=...) at js/src/wasm/WasmModule.cpp:532
#5  0x0846b798 in WasmExtractCode (cx=0xf7953000, argc=1, vp=0xffffbc20) at js/src/builtin/TestingFunctions.cpp:649
#6  0xf7bedf75 in ?? ()
[...]
#31 main (argc=4, argv=0xffffcde4, envp=0xffffcdf8) at js/src/shell/js.cpp:7931
eax	0x0	0
ebx	0x0	0
ecx	0x0	0
edx	0x1	1
esi	0xffffbb30	-17616
edi	0xf7953000	-141217792
ebp	0xffffb9a8	4294949288
esp	0xffffb920	4294949152
eip	0x84eb94d <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1053>
=> 0x84eb94d <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1053>:	mov    (%ecx),%ecx
   0x84eb94f <DefinePropertyById(JSContext*, JS::HandleObject, JS::HandleId, JS::HandleValue, JSNativeWrapper const&, JSNativeWrapper const&, unsigned int, unsigned int)+1055>:	mov    (%ecx),%ecx

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20161013111919" and the hash "9126be480c4594a25352ce6e585fb8b6afe5ef6f".
The "bad" changeset has the timestamp "20161013112119" and the hash "860ba5468626ee1c99780b3879f7c2009054c0b3".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9126be480c4594a25352ce6e585fb8b6afe5ef6f&tochange=860ba5468626ee1c99780b3879f7c2009054c0b3

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: extract-null-check.patch

Just a missing null check. Test case not added because it's related to oom timing + extractCode is shell-only.

Comment 3

[Luke Wagner [:luke]]

Comment on attachment 8808527 [details] [diff] [review]
extract-null-check.patch

Review of attachment 8808527 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

Comment 4

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5189ddac9614
Add null-check in wasmExtractCode; r=luke

Comment 5

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/5189ddac9614