[wasm] Crash [@ js_free]

RESOLVED FIXED in Firefox 56

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 months ago
6 months ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 2 bugs, {crash, jsbugmon, testcase})

Trunk
mozilla56
x86_64
Linux
crash, jsbugmon, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox54 unaffected, firefox55 unaffected, firefox56 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 months ago
The following testcase crashes on mozilla-central revision cc903e3f6189 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

oomTest(function () {
    new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
        (module
            (global
                (mut i64)
                (i64.const 0)
            )
            (func)
            (global
                (mut f64)
                (f64.const 0)
            )
            (func
                (result f64)
                get_global 1
            )
            (global
                (mut i64)
                (i64.const 0)
            )
            (func
                i64.const 0
                i64.const 0
                i32.const 0
                select
                call 1
                set_global 1
                set_global 2
            )
            (func
                (result i64)
                (param f64)
                (param i64)
                (param i32)
                get_local 2
                i64.const 0
                i64.const 0
                i32.const 0
                select
                drop
                i64.extend_s/i32
            )
            (func
                (result f32)
                (param i32)
                (param i64)
                (param f32)
                f64.const 0
                f64.const 0
                i32.const 0
                select
                get_local 1
                get_local 2
                i32.const 0
                i32.const 0
                i32.const 0
                select
                drop
                drop
                drop
                f32.demote/f64
                f64.const 0
                f64.const 0
                i32.const 0
                select
                set_global 1
                i32.const 0
                i32.const 0
                i32.const 0
                select
                i64.const 0
                get_global 2
                drop
                drop
                drop
            )
        )
    `)));
})

Backtrace:

#0  js_free (p=<error reading variable: Cannot access memory at address 0x20>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:257
#1  js::wasm::GlobalSegment::~GlobalSegment (this=0x7fd144616250, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:878
#2  js_delete<js::wasm::GlobalSegment> (p=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:383
#3  JS::DeletePolicy<js::wasm::GlobalSegment>::operator() (this=<optimized out>, ptr=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:485
#4  mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >::reset (aPtr=0x0, this=0x7fff2d04dfe0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/mozilla/UniquePtr.h:343
/snip

For detailed crash information, see attachment.

js_free is on the stack, setting s-s as a start.
(Reporter)

Comment 1

7 months ago
Created attachment 8881831 [details]
Detailed Crash Information
(Reporter)

Comment 2

7 months ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ba901f83a5fd
user:        Luke Wagner
date:        Fri Jun 23 18:03:19 2017 -0500
summary:     Bug 1374218 - Baldr: ensure alignment of TlsData (r=lth)

Luke, is bug 1374218 a likely regressor?
Flags: needinfo?(luke)
Summary: Crash [@ js_free] → Crash [@ js_free] involving wasm
(Reporter)

Updated

7 months ago
Summary: Crash [@ js_free] involving wasm → [wasm] Crash [@ js_free]
(Assignee)

Comment 3

7 months ago
Created attachment 8882045 [details] [diff] [review]
fix-oom

D'oh, this code was implicitly relying before on js_free(nullptr) being a nop.
Assignee: nobody → luke
Flags: needinfo?(luke)
Attachment #8882045 - Flags: review?(lhansen)
(Assignee)

Comment 4

7 months ago
Crash at reliably-small offset from null, so I don't think this is s-s.

Comment 5

7 months ago
Comment on attachment 8882045 [details] [diff] [review]
fix-oom

Review of attachment 8882045 [details] [diff] [review]:
-----------------------------------------------------------------

D'oh indeed.
Attachment #8882045 - Flags: review?(lhansen) → review+
(Reporter)

Comment 6

7 months ago
Opening up as per comment 4.
Group: javascript-core-security

Comment 7

7 months ago
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d762b3e46153
Baldr: handle null field on OOM (r=lth)

Comment 8

7 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/d762b3e46153
Status: NEW → RESOLVED
Last Resolved: 7 months ago
status-firefox56: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
status-firefox54: --- → unaffected
status-firefox55: --- → unaffected
status-firefox-esr52: --- → unaffected
You need to log in before you can comment on or make changes to this bug.