Crash [@ js::wasm::BinaryToAst] or Crash [@ init] with OOM

RESOLVED FIXED in Firefox 53

Status

()

--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks: 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla53
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 unaffected, firefox53 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes on mozilla-central revision 31ffcb82ced8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2):

function _wasmFullPassInternal(assertValueFunc, text, expected, maybeImports, ...args) {
    let binary = wasmTextToBinary(text);
    let retext = wasmBinaryToText(binary);
    assertValueFunc(reinstance.exports.run(...args), expected, "Reformed module must return the expected result");
}
function wasmFullPass(text, expected, maybeImports, ...args) {
    _wasmFullPassInternal(assertEq, text, expected, maybeImports, ...args);
}
var lfLogBuffer = `
wasmFullPass('(module (func (result f32) (f32.const -1)) (export "run" 0))', -1);
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    try {
      oomTest(function() {
        eval(lfVarx);
      });
    } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::wasm::BinaryToAst (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, lifo=..., module=module@entry=0x7fffffffad58) at js/src/wasm/WasmBinaryToAST.cpp:1890
#0  js::wasm::BinaryToAst (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, lifo=..., module=module@entry=0x7fffffffad58) at js/src/wasm/WasmBinaryToAST.cpp:1890
#1  0x0000000000d157f4 in js::wasm::BinaryToText (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, buffer=..., sourceMap=sourceMap@entry=0x0) at js/src/wasm/WasmBinaryToText.cpp:1752
#2  0x000000000083a67b in WasmBinaryToText (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:615
#3  0x00007ffff7e3ab75 in ?? ()
[...]
#6  0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x42	66
rcx	0x7fffffffadd0	140737488334288
rdx	0x42	66
rsi	0x2c0	704
rdi	0x7fffffffadd0	140737488334288
rbp	0x7fffffffacf0	140737488334064
rsp	0x7fffffffa5e0	140737488332256
r8	0x7fffffffad58	140737488334168
r9	0x4	4
r10	0x4	4
r11	0x40	64
r12	0x7ffff3203b00	140737272363776
r13	0x7ffff695f000	140737330409472
r14	0x7fffffffadd0	140737488334288
r15	0x0	0
rip	0xd10988 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2376>
=> 0xd10988 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2376>:	cmpq   $0x0,0x58
   0xd10991 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2385>:	je     0xd10332 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+754>
(Assignee)

Comment 1

2 years ago
Created attachment 8823261 [details] [diff] [review]
oom.patch
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8823261 - Flags: review?(luke)

Updated

2 years ago
Attachment #8823261 - Flags: review?(luke) → review+
(Assignee)

Comment 2

2 years ago
For what it's worth, this code will be made unreachable by the incoming aurora patch in bug 1326452.
status-firefox52: --- → unaffected

Comment 3

2 years ago
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c35a9bad901c
Check for OOM in BinaryToAST initialization of result; r=luke

Comment 4

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/c35a9bad901c
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.