Closed Bug 1376841 Opened 7 years ago Closed 7 years ago

[wasm] Crash [@ js_free]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

Detailed Crash Information
6.84 KB, text/plain
Details
fix-oom
429 bytes, patch
lth
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision cc903e3f6189 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):

oomTest(function () {
    new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(`
        (module
            (global
                (mut i64)
                (i64.const 0)
            )
            (func)
            (global
                (mut f64)
                (f64.const 0)
            )
            (func
                (result f64)
                get_global 1
            )
            (global
                (mut i64)
                (i64.const 0)
            )
            (func
                i64.const 0
                i64.const 0
                i32.const 0
                select
                call 1
                set_global 1
                set_global 2
            )
            (func
                (result i64)
                (param f64)
                (param i64)
                (param i32)
                get_local 2
                i64.const 0
                i64.const 0
                i32.const 0
                select
                drop
                i64.extend_s/i32
            )
            (func
                (result f32)
                (param i32)
                (param i64)
                (param f32)
                f64.const 0
                f64.const 0
                i32.const 0
                select
                get_local 1
                get_local 2
                i32.const 0
                i32.const 0
                i32.const 0
                select
                drop
                drop
                drop
                f32.demote/f64
                f64.const 0
                f64.const 0
                i32.const 0
                select
                set_global 1
                i32.const 0
                i32.const 0
                i32.const 0
                select
                i64.const 0
                get_global 2
                drop
                drop
                drop
            )
        )
    `)));
})

Backtrace:

#0  js_free (p=<error reading variable: Cannot access memory at address 0x20>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:257
#1  js::wasm::GlobalSegment::~GlobalSegment (this=0x7fd144616250, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:878
#2  js_delete<js::wasm::GlobalSegment> (p=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:383
#3  JS::DeletePolicy<js::wasm::GlobalSegment>::operator() (this=<optimized out>, ptr=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:485
#4  mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >::reset (aPtr=0x0, this=0x7fff2d04dfe0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/mozilla/UniquePtr.h:343
/snip

For detailed crash information, see attachment.

js_free is on the stack, setting s-s as a start.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/ba901f83a5fd
user:        Luke Wagner
date:        Fri Jun 23 18:03:19 2017 -0500
summary:     Bug 1374218 - Baldr: ensure alignment of TlsData (r=lth)

Luke, is bug 1374218 a likely regressor?
Flags: needinfo?(luke)
Summary: Crash [@ js_free] → Crash [@ js_free] involving wasm
Summary: Crash [@ js_free] involving wasm → [wasm] Crash [@ js_free]
Attached patch fix-oomSplinter Review 
D'oh, this code was implicitly relying before on js_free(nullptr) being a nop.
Assignee: nobody → luke
Flags: needinfo?(luke)
Attachment #8882045 - Flags: review?(lhansen)
Crash at reliably-small offset from null, so I don't think this is s-s.
Comment on attachment 8882045 [details] [diff] [review]
fix-oom

Review of attachment 8882045 [details] [diff] [review]:
-----------------------------------------------------------------

D'oh indeed.
Attachment #8882045 - Flags: review?(lhansen) → review+
Opening up as per comment 4.
Group: javascript-core-security
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d762b3e46153
Baldr: handle null field on OOM (r=lth)
https://hg.mozilla.org/mozilla-central/rev/d762b3e46153
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: