Null-deref crash [@ ToABIFunctionType]

RESOLVED DUPLICATE of bug 1359612

Status

()

--
critical
RESOLVED DUPLICATE of bug 1359612
a year ago
a year ago

People

(Reporter: truber, Unassigned)

Tracking

(Blocks: 1 bug, {crash, csectype-nullptr, testcase})

Trunk
x86_64
Linux
crash, csectype-nullptr, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8861573 [details]
testcase.js

The attached testcase causes a null dereference in mozilla-central rev a30dc237c3a6.

ASAN:DEADLYSIGNAL
=================================================================
==25497==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000001b9688a bp 0x7ffc1a240fd0 sp 0x7ffc1a240f90 T0)
==25497==The signal is caused by a WRITE memory access.
==25497==Hint: address points to the zero page.
    #0 0x1b96889 in ToABIFunctionType /home/worker/workspace/build/src/js/src/wasm/WasmBuiltins.cpp:917
    #1 0x1b96889 in MaybeGetBuiltinThunk /home/worker/workspace/build/src/js/src/wasm/WasmBuiltins.cpp:940
    #2 0x1bea540 in js::wasm::Instance::Instance(JSContext*, JS::Handle<js::WasmInstanceObject*>, mozilla::UniquePtr<js::wasm::Code, JS::DeletePolicy<js::wasm::Code> >, mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >, JS::Handle<js::WasmMemoryObject*>, mozilla::Vector<RefPtr<js::wasm::Table>, 0ul, js::SystemAllocPolicy>&&, JS::Handle<JS::GCVector<JSFunction*, 0ul, js::TempAllocPolicy> >, mozilla::Vector<js::wasm::Val, 0ul, js::SystemA
llocPolicy> const&) /home/worker/workspace/build/src/js/src/wasm/WasmInstance.cpp:360
    #3 0x1c3026b in new_<js::wasm::Instance, JSContext *&, JS::Rooted<js::WasmInstanceObject *> &, mozilla::UniquePtr<js::wasm::Code, JS::DeletePolicy<js::wasm::Code> >, mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >, JS::Handle<js::WasmMemoryObject *> &, mozilla::Vector<RefPtr<js::wasm::Table>, 0, js::SystemAllocPolicy>, JS::Handle<JS::GCVector<JSFunction *, 0, js::TempAllocPolicy> > &, const mozilla::Vector<js::wasm::Val, 0, js::Sy
stemAllocPolicy> &> /home/worker/workspace/build/src/js/src/vm/MallocProvider.h:189
    #4 0x1c3026b in create /home/worker/workspace/build/src/js/src/wasm/WasmJS.cpp:1011
    #5 0x1c26344 in js::wasm::Module::instantiate(JSContext*, JS::Handle<JS::GCVector<JSFunction*, 0ul, js::TempAllocPolicy> >, JS::Handle<js::WasmTableObject*>, JS::Handle<js::WasmMemoryObject*>, mozilla::Vector<js::wasm::Val, 0ul, js::SystemAllocPolicy> const&, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) const /home/worker/workspace/build/src/js/src/wasm/WasmModule.cpp:911
    #6 0x1a43237 in TryInstantiate /home/worker/workspace/build/src/js/src/wasm/AsmJS.cpp:8066
    #7 0x1a43237 in InstantiateAsmJS /home/worker/workspace/build/src/js/src/wasm/AsmJS.cpp:8158
    #8 0x7f9be3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291
    #9 0x7f9be3 in InternalCallOrConstruct /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #10 0x7e282d in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521
    #11 0x7e282d in Interpret /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #12 0x7c8ad8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410
    #13 0x7fc0f7 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699
    #14 0x7fc962 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:731
    #15 0x11e85c7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4544
    #16 0x56ea96 in RunFile /home/worker/workspace/build/src/js/src/shell/js.cpp:714
    #17 0x56ea96 in Process /home/worker/workspace/build/src/js/src/shell/js.cpp:1161
    #18 0x5249b4 in ProcessArgs /home/worker/workspace/build/src/js/src/shell/js.cpp:7923
    #19 0x5249b4 in Shell /home/worker/workspace/build/src/js/src/shell/js.cpp:8286
    #20 0x5249b4 in main /home/worker/workspace/build/src/js/src/shell/js.cpp:8684
    #21 0x7f15911fc510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #22 0x441cd0 in _start (/home/truber/builds/m-c-1493112240-asan-opt/js+0x441cd0)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/js/src/wasm/WasmBuiltins.cpp:917 in ToABIFunctionType
==25497==ABORTING
Luke, I guess this is related to bug 1359612?
Flags: needinfo?(luke)
Indeed, confirmed fix by patch in bug 1359612.
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(luke)
Resolution: --- → DUPLICATE
Duplicate of bug: 1359612
status-firefox57: affected → ---
You need to log in before you can comment on or make changes to this bug.