Closed
Bug 1328151
Opened 7 years ago
Closed 7 years ago
Crash [@ js::wasm::BinaryToAst] or Crash [@ init] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | unaffected |
| firefox53 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
1021 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 31ffcb82ced8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2):
function _wasmFullPassInternal(assertValueFunc, text, expected, maybeImports, ...args) {
let binary = wasmTextToBinary(text);
let retext = wasmBinaryToText(binary);
assertValueFunc(reinstance.exports.run(...args), expected, "Reformed module must return the expected result");
}
function wasmFullPass(text, expected, maybeImports, ...args) {
_wasmFullPassInternal(assertEq, text, expected, maybeImports, ...args);
}
var lfLogBuffer = `
wasmFullPass('(module (func (result f32) (f32.const -1)) (export "run" 0))', -1);
`;
loadFile(lfLogBuffer);
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
try {
oomTest(function() {
eval(lfVarx);
});
} catch (lfVare) {}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
js::wasm::BinaryToAst (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, lifo=..., module=module@entry=0x7fffffffad58) at js/src/wasm/WasmBinaryToAST.cpp:1890
#0 js::wasm::BinaryToAst (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, lifo=..., module=module@entry=0x7fffffffad58) at js/src/wasm/WasmBinaryToAST.cpp:1890
#1 0x0000000000d157f4 in js::wasm::BinaryToText (cx=cx@entry=0x7ffff695f000, bytes=bytes@entry=0x7ffff3203b00 "", length=length@entry=66, buffer=..., sourceMap=sourceMap@entry=0x0) at js/src/wasm/WasmBinaryToText.cpp:1752
#2 0x000000000083a67b in WasmBinaryToText (cx=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:615
#3 0x00007ffff7e3ab75 in ?? ()
[...]
#6 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x42 66
rcx 0x7fffffffadd0 140737488334288
rdx 0x42 66
rsi 0x2c0 704
rdi 0x7fffffffadd0 140737488334288
rbp 0x7fffffffacf0 140737488334064
rsp 0x7fffffffa5e0 140737488332256
r8 0x7fffffffad58 140737488334168
r9 0x4 4
r10 0x4 4
r11 0x40 64
r12 0x7ffff3203b00 140737272363776
r13 0x7ffff695f000 140737330409472
r14 0x7fffffffadd0 140737488334288
r15 0x0 0
rip 0xd10988 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2376>
=> 0xd10988 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2376>: cmpq $0x0,0x58
0xd10991 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+2385>: je 0xd10332 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+754>
|
Assignee | |
Comment 1•7 years ago
|
||
|
||
Updated•7 years ago
|
Attachment #8823261 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 2•7 years ago
|
||
For what it's worth, this code will be made unreachable by the incoming aurora patch in bug 1326452.
status-firefox52:
--- → unaffected
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c35a9bad901c Check for OOM in BinaryToAST initialization of result; r=luke
|
||
Comment 4•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/c35a9bad901c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•