Closed
Bug 1353350
Opened 7 years ago
Closed 7 years ago
[wasm] Crash [@ ??]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1341650
Tracking | Status | |
---|---|---|
firefox55 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
The attached binary WebAssembly testcase crashes on mozilla-inbound revision fbe76e704b6b+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell: var data = os.file.readFile(file, 'binary'); new WebAssembly.Instance(new WebAssembly.Module(data.buffer)); Backtrace: ==7669==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x162aa520a140 bp 0x7ffcdb232d50 sp 0x7ffcdb232440 T0) ==7669==The signal is caused by a READ memory access. ==7669==Hint: address points to the zero page. #0 0x162aa520a13f (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (<unknown module>) ==7669==ABORTING Marking s-s because there is no stack. But the crash looks like it might be a null-deref.
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
cset fbe76e704b6b is from bug 1338002 (when we temporarily accepted 0xd and 0x1) and I can repro at that cset. The test case is actually an 0xd binary, but I can repro if I flip the version to 0x1. Updating to 391047948db4 (when wasm was enabled by default) and on mozilla-inbound tip, I can't reproduce, I just get a safe runtime unreachable trap. decoder, can you confirm this issue has been fixed? Perhaps a bot could also auto-bisect the fix?
Flags: needinfo?(choller)
Comment 3•7 years ago
|
||
Also, just as a quick sanity check, the failure also does not repro on mozilla-beta tip or mozilla-aurora tip.
I'll try and autoBisect the fix but I won't be able to get to this till later.
Flags: needinfo?(gary)
Comment 5•7 years ago
|
||
For bisection, you'll want to use the attached 0x1 binary. Thanks!
Comment 6•7 years ago
|
||
Manual bisection done: The first good revision is: changeset: 344397:78329879784e user: Benjamin Bouvier <benj@benj.me> date: Wed Feb 22 18:44:34 2017 +0100 summary: Bug 1341650: Pass TLS when calling wasm current_memory in the Ion backend; r=luke I've checked the crash, and it looks like we're loading something from the TLS register but the register hasn't been reloaded, so it matches the fix description. Resolving as a duplicate of bug 1341650, also found by awsm.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gary)
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•