Closed Bug 1329632 Opened 5 years ago Closed 5 years ago

Crash [@ strlen] with wasm

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

53 Branch
x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 701868bfddcb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):

const USE_ASM = '"use asm";';
function asmLink(f) {
    var ret = f.apply(null, Array.slice(arguments, 1));
    return ret;
}
enableSPSProfiling();
var code = evaluate("(function() { " + USE_ASM + " function g() { return 43 } return g})", {
    fileName: null
});
code(asmLink(code)(), 43);



Backtrace:

 received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x0000000000cf9f36 in js::wasm::Code::ensureProfilingState (this=0x7ffff023c9e0, rt=rt@entry=0x7ffff695f208, newProfilingEnabled=newProfilingEnabled@entry=true) at js/src/wasm/WasmCode.cpp:776
#2  0x0000000000d2d553 in js::wasm::Instance::ensureProfilingState (this=0x7ffff03ecd00, cx=cx@entry=0x7ffff695f000, newProfilingEnabled=newProfilingEnabled@entry=true) at js/src/wasm/WasmInstance.cpp:800
#3  0x0000000000cf5eef in js::wasm::Compartment::ensureProfilingState (this=0x7ffff692c428, cx=0x7ffff695f000) at js/src/wasm/WasmCompartment.cpp:159
#4  0x0000000000d34f85 in js::wasm::Instance::callExport (this=this@entry=0x7ffff03ecd00, cx=cx@entry=0x7ffff695f000, funcIndex=4097, args=...) at js/src/wasm/WasmInstance.cpp:538
#5  0x0000000000d35ced in WasmCall (cx=cx@entry=0x7ffff695f000, argc=<optimized out>, vp=<optimized out>) at js/src/wasm/WasmJS.cpp:1046
#6  0x000000000054cae1 in js::CallJSNative (cx=cx@entry=0x7ffff695f000, native=0xd35c40 <WasmCall(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
#7  0x0000000000542551 in js::InternalCallOrConstruct (cx=0x7ffff695f000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:457
#8  0x000000000053472e in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:508
#9  Interpret (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:2928
#10 0x0000000000542275 in js::RunScript (cx=0x7ffff695f000, state=...) at js/src/vm/Interpreter.cpp:403
#11 0x0000000000544aa8 in js::ExecuteKernel (cx=0x7ffff695f000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:684
#12 0x0000000000544ee8 in js::Execute (cx=cx@entry=0x7ffff695f000, script=script@entry=..., envChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:717
#13 0x0000000000888932 in ExecuteScript (cx=0x7ffff695f000, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410
#14 0x00000000008a5f60 in JS_ExecuteScript (cx=0x7ffff695f000, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443
#15 0x000000000042bc0e in RunFile (compileOnly=<optimized out>, file=0x7ffff031c400, filename=<optimized out>, cx=0x7ffff695f000) at js/src/shell/js.cpp:647
#16 Process (cx=<optimized out>, filename=<optimized out>, forceTTY=forceTTY@entry=false, kind=kind@entry=FileScript) at js/src/shell/js.cpp:1078
#17 0x0000000000438620 in ProcessArgs (op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7207
#18 Shell (envp=<optimized out>, op=0x7fffffffdaa0, cx=0x7ffff695f000) at js/src/shell/js.cpp:7569
#19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7947
rax	0x0	0
rbx	0x7ffff023c9e0	140737222265312
rcx	0x0	0
rdx	0x3	3
rsi	0x116867b	18253435
rdi	0x0	0
rbp	0x7fffffffc5b0	140737488340400
rsp	0x7fffffffc488	140737488340104
r8	0x2	2
r9	0x1168601	18253313
r10	0x7ffff691e120	140737330143520
r11	0x1	1
r12	0x7fffffffc530	140737488340272
r13	0x7ffff03e19f0	140737223989744
r14	0x7fffffffc540	140737488340288
r15	0x1	1
rip	0x7ffff6bbcd16 <strlen+38>
=> 0x7ffff6bbcd16 <strlen+38>:	movdqu (%rax),%xmm4
   0x7ffff6bbcd1a <strlen+42>:	pcmpeqb %xmm0,%xmm4


This is very likely a call on a NULL ptr, so not marking s-s.
Blocks: 1326501
Component: JavaScript Engine → JavaScript Engine: JIT
Priority: -- → P1
Attached patch 1329632.patchSplinter Review
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8825027 - Flags: review?(luke)
enableSPSProfilingWithSlowAssertions();
evaluate("\
    f = (function(s, n, h) {\
        \"use asm\";\
        function f() {}\
        return f;\
    })();\
    f();\
", {
    fileName: null
});

is another testcase, bisecting also to bug 1326501. Was about to report this when I got distracted. :-/
Comment on attachment 8825027 [details] [diff] [review]
1329632.patch

Review of attachment 8825027 [details] [diff] [review]:
-----------------------------------------------------------------

Arg, I always forget the null filename.  Thanks for the test and fix!

::: js/src/wasm/WasmCode.cpp
@@ +777,5 @@
> +            if (const char* filename = metadata_->filename.get()) {
> +                if (!name.append(filename, strlen(filename)))
> +                    return false;
> +            } else if (!name.append('?')) {
> +                return false;

nit: in these cases, I think it reads slightly better as:
 else {
   if (!name.append('?'))
     return false;
 }
Attachment #8825027 - Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/158fc2a37dc6
Add a null-check for empty filenames in wasm stack traces; r=luke
Version: Trunk → 53 Branch
https://hg.mozilla.org/mozilla-central/rev/158fc2a37dc6
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.