Closed Bug 1353350 Opened 7 years ago Closed 7 years ago

[wasm] Crash [@ ??]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1341650
Tracking Flags:
Tracking Status
firefox55 --- affected

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

Testcase
107 bytes, application/octet-stream
Details
Testcase (as 0x1)
107 bytes, application/octet-stream
Details 
The attached binary WebAssembly testcase crashes on mozilla-inbound revision fbe76e704b6b+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
new WebAssembly.Instance(new WebAssembly.Module(data.buffer));



Backtrace:

==7669==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x162aa520a140 bp 0x7ffcdb232d50 sp 0x7ffcdb232440 T0)
==7669==The signal is caused by a READ memory access.
==7669==Hint: address points to the zero page.
    #0 0x162aa520a13f  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==7669==ABORTING

Marking s-s because there is no stack. But the crash looks like it might be a null-deref.
Attached file Testcase 

    
    

    
  
cset fbe76e704b6b is from bug 1338002 (when we temporarily accepted 0xd and 0x1) and I can repro at that cset.  The test case is actually an 0xd binary, but I can repro if I flip the version to 0x1.  Updating to 391047948db4 (when wasm was enabled by default) and on mozilla-inbound tip, I can't reproduce, I just get a safe runtime unreachable trap.

decoder, can you confirm this issue has been fixed?  Perhaps a bot could also auto-bisect the fix?
Flags: needinfo?(choller)

    
    

    
  
Also, just as a quick sanity check, the failure also does not repro on mozilla-beta tip or mozilla-aurora tip.

    
    

    
  
I'll try and autoBisect the fix but I won't be able to get to this till later.
Flags: needinfo?(gary)

    
    

    
  

      
      
      
      

        Attached file
          
        Testcase (as 0x1)
      

    


  
For bisection, you'll want to use the attached 0x1 binary.  Thanks!

    
    

    
  
Manual bisection done:

The first good revision is:
changeset:   344397:78329879784e
user:        Benjamin Bouvier <benj@benj.me>
date:        Wed Feb 22 18:44:34 2017 +0100
summary:     Bug 1341650: Pass TLS when calling wasm current_memory in the Ion backend; r=luke

I've checked the crash, and it looks like we're loading something from the TLS register but the register hasn't been reloaded, so it matches the fix description.

Resolving as a duplicate of bug 1341650, also found by awsm.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(gary)
Flags: needinfo?(choller)
Resolution: --- → DUPLICATE
Group: javascript-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: