1416794 - MOZ_CRASH in js::jit::IonBuilder::inlineScriptedCall (with --ion-eager)

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Alex Gaynor [:Alex_Gaynor]]

Attachment: clusterfuzz-testcase-minimized-5620925186703360.js

This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker.

Please note that they apply a 90-day disclose timeline to all bugs:

/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe --ion-eager /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-42.js
	
	[Environment] ASAN_OPTIONS = redzone=512:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
	
	Assertion failure: result.unwrapErr() == AbortReason::Error, at mozilla-central/js/src/jit/IonBuilder.cpp:3813
	AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==14162==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000f94ab7 bp 0x7fffdc8c9e80 sp 0x7fffdc8c97a0 T0)
	==14162==The signal is caused by a WRITE memory access.
	==14162==Hint: address points to the zero page.
	SCARINESS: 10 (null-deref)
	#0 0xf94ab6 in js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*) mozilla-central/js/src/jit/IonBuilder.cpp:3844:13
	#1 0xf99d53 in js::jit::IonBuilder::inlineSingleCall(js::jit::CallInfo&, JSObject*) mozilla-central/js/src/jit/IonBuilder.cpp:4337:12
	#2 0xf9a767 in js::jit::IonBuilder::inlineCallsite(mozilla::Vector<js::jit::InliningTarget, 4ul, js::jit::JitAllocPolicy> const&, js::jit::CallInfo&) mozilla-central/js/src/jit/IonBuilder.cpp:4391:16
	#3 0xf6456e in js::jit::IonBuilder::jsop_call(unsigned int, bool, bool) mozilla-central/js/src/jit/IonBuilder.cpp:5397:5
	#4 0xf3370a in js::jit::IonBuilder::inspectOpcode(JSOp) mozilla-central/js/src/jit/IonBuilder.cpp:2063:9
	#5 0xf31e9d in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) mozilla-central/js/src/jit/IonBuilder.cpp:1564:9
	#6 0xf2668d in js::jit::IonBuilder::traverseBytecode() mozilla-central/js/src/jit/IonBuilder.cpp:1481:9
	#7 0xf116d4 in js::jit::IonBuilder::build() mozilla-central/js/src/jit/IonBuilder.cpp:864:5
	#8 0xf0c04b in js::jit::AnalyzeNewScriptDefiniteProperties(JSContext*, JS::Handle<JSFunction*>, js::ObjectGroup*, JS::Handle<js::PlainObject*>, mozilla::Vector<js::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*) mozilla-central/js/src/jit/IonAnalysis.cpp:4233:45
	#9 0x23a77d3 in js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool) mozilla-central/js/src/vm/TypeInference.cpp:3846:10
	#10 0xefa3dd in js::jit::IonCompile(JSContext*, JSScript*, js::jit::BaselineFrame*, unsigned char*, bool, js::jit::OptimizationLevel) mozilla-central/js/src/jit/Ion.cpp:2193:46
	#11 0xefa3dd in js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) mozilla-central/js/src/jit/Ion.cpp:2443
	#12 0xefcfe5 in BaselineCanEnterAtEntry(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*) mozilla-central/js/src/jit/Ion.cpp:2559:27
	#13 0xefcfe5 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) mozilla-central/js/src/jit/Ion.cpp:2681
	#12 0x3102f6c1e010  (<unknown module>)
	#13 0x3102f6c19c05  (<unknown module>)
	#14 0x10e95e0 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:99:9
	#15 0x10e95e0 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:162
	#16 0x87c933 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:408:34
	#17 0x8b2fc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:495:15
	#18 0xbe1a6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2551:14
	#18 0x3102f6c2635a  (<unknown module>)
	#19 0x621000508e8f  (<unknown module>)
	#20 0x3102f6c19dae  (<unknown module>)
	#19 0x10e95e0 in EnterJit(JSContext*, js::RunState&, unsigned char*) mozilla-central/js/src/jit/Jit.cpp:99:9
	#20 0x10e95e0 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) mozilla-central/js/src/jit/Jit.cpp:162
	#21 0x87c933 in js::RunScript(JSContext*, js::RunState&) mozilla-central/js/src/vm/Interpreter.cpp:408:34
	#22 0x8b2fc0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) mozilla-central/js/src/vm/Interpreter.cpp:495:15
	#23 0xbe1a6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jit/BaselineIC.cpp:2551:14
	#25 0x3102f6c2635a  (<unknown module>)
	#26 0x6210003716ff  (<unknown module>)
	#27 0x3102f6c5b000  (<unknown module>)

Comment 1

[Jan de Mooij [:jandem]]

Can you take this one?

Comment 2

[Nicolas B. Pierron [:nbp]]

As soon as I am done with Bug 1412653.

Comment 3

[Nicolas B. Pierron [:nbp]]

Independently of the error reporting, tracking where the error was emitted gave the following stack, which surprised me!
Apparently we run the parser in order to know if content of a function can be inlined during the analysis.

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00000000007fb066 in js::jit::IonBuilder::inlineScriptedCall (this=0x7fff993e6670, callInfo=..., target=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:3813
3813                MOZ_ASSERT(result.unwrapErr() == AbortReason::Error);
(rr) bt
#0  js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::statementList (this=0x7fff993e3470, yieldHandling=js::frontend::YieldIsName) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:4112
#1  0x0000000000522283 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::functionBody (this=0x7fff993e3470, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, kind=js::frontend::Statement, type=js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::StatementListBody) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:2699
#2  0x0000000000516380 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody (this=0x7fff993e3470, inHandling=js::frontend::InAllowed, yieldHandling=js::frontend::YieldIsName, pn=0x46205b0, kind=js::frontend::Statement, parameterListEnd=..., isStandaloneFunction=false) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:3757
#3  0x0000000000504fac in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneLazyFunction (this=0x7fff993e3470, fun=..., toStringStart=870, strict=false, generatorKind=js::GeneratorKind::NotGenerator, asyncKind=js::SyncFunction) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/Parser.cpp:3649
#4  0x0000000000ce6c24 in js::frontend::CompileLazyFunction (cx=0x454b570, lazy=..., chars=0x486469e u"() {\n  };\n  return {\n    areEqual: function areEqual() {\n      validate( message);\n    },\n    areNotEqual: function areNotEqual() {\n    }  };\n}();\nclass __c_19 {\n  constructor() {\n      this.foo = 'Si"..., length=8) at /home/nicolas/mozilla/alternate-dev/js/src/frontend/BytecodeCompiler.cpp:689
#5  0x0000000000ba7476 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x454b570, fun=...) at /home/nicolas/mozilla/alternate-dev/js/src/jsfun.cpp:1601
#6  0x0000000000439774 in JSFunction::getOrCreateScript (cx=0x454b570, fun=...) at /home/nicolas/mozilla/alternate-dev/js/src/jsfun.h:450
#7  0x00000000007e8935 in js::jit::IonBuilder::canInlineTarget (this=0x7fff993e4de0, target=0x7f978eeb3cc0, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:428
#8  0x00000000007fbd15 in js::jit::IonBuilder::makeInliningDecision (this=0x7fff993e4de0, targetArg=0x7f978eeb3cc0, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4018
#9  0x00000000007fcb9b in js::jit::IonBuilder::inlineCallsite (this=0x7fff993e4de0, targets=..., callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4363
#10 0x0000000000802764 in js::jit::IonBuilder::jsop_call (this=0x7fff993e4de0, argc=1, constructing=false, ignoresReturnValue=true) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:5397
#11 0x00000000007f1479 in js::jit::IonBuilder::inspectOpcode (this=0x7fff993e4de0, op=JSOP_CALL_IGNORES_RV) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:2063
#12 0x00000000007ee85f in js::jit::IonBuilder::visitBlock (this=0x7fff993e4de0, cfgblock=0x4873410, mblock=0x4901b48) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1564
#13 0x00000000007ede31 in js::jit::IonBuilder::traverseBytecode (this=0x7fff993e4de0) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1481
#14 0x00000000007ebc5f in js::jit::IonBuilder::buildInline (this=0x7fff993e4de0, callerBuilder=0x7fff993e6670, callerResumePoint=0x4901930, callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1028
#15 0x00000000007faf9c in js::jit::IonBuilder::inlineScriptedCall (this=0x7fff993e6670, callInfo=..., target=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:3809
#16 0x00000000007fca2a in js::jit::IonBuilder::inlineSingleCall (this=0x7fff993e6670, callInfo=..., targetArg=0x7f978eeb3d00) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4337
#17 0x00000000007fcd34 in js::jit::IonBuilder::inlineCallsite (this=0x7fff993e6670, targets=..., callInfo=...) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:4391
#18 0x0000000000802764 in js::jit::IonBuilder::jsop_call (this=0x7fff993e6670, argc=0, constructing=false, ignoresReturnValue=true) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:5397
#19 0x00000000007f1479 in js::jit::IonBuilder::inspectOpcode (this=0x7fff993e6670, op=JSOP_CALL_IGNORES_RV) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:2063
#20 0x00000000007ee85f in js::jit::IonBuilder::visitBlock (this=0x7fff993e6670, cfgblock=0x48732f0, mblock=0x4900ec0) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1564
#21 0x00000000007ede31 in js::jit::IonBuilder::traverseBytecode (this=0x7fff993e6670) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:1481
#22 0x00000000007ea9c7 in js::jit::IonBuilder::build (this=0x7fff993e6670) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonBuilder.cpp:864
#23 0x00000000007e4cc4 in js::jit::AnalyzeNewScriptDefiniteProperties (cx=0x454b570, fun=..., group=0x7f978eeba5b0, baseobj=..., initializerList=0x7fff993e6e30) at /home/nicolas/mozilla/alternate-dev/js/src/jit/IonAnalysis.cpp:4233
#24 0x0000000000f28d59 in js::TypeNewScript::maybeAnalyze (this=0x48bba20, cx=0x454b570, group=0x7f978eeba5b0, regenerate=0x0, force=true) at /home/nicolas/mozilla/alternate-dev/js/src/vm/TypeInference.cpp:3846
#25 0x00000000007d291e in js::jit::IonCompile (cx=0x454b570, script=0x7f978ee92d08, baselineFrame=0x7fff993e74b8, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2216
#26 0x00000000007d36d9 in js::jit::Compile (cx=0x454b570, script=..., osrFrame=0x7fff993e74b8, osrPc=0x0, forceRecompile=false) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2466
#27 0x00000000007d3d65 in BaselineCanEnterAtEntry (cx=0x454b570, script=..., frame=0x7fff993e74b8) at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2582
#28 0x00000000007d43ef in js::jit::IonCompileScriptForBaseline (cx=0x454b570, frame=0x7fff993e74b8, pc=0x48bbb98 "T") at /home/nicolas/mozilla/alternate-dev/js/src/jit/Ion.cpp:2704
#29 0x000017b05c6f5811 in ?? ()
#30 0x0000000000000000 in ?? ()

Comment 4

[Nicolas B. Pierron [:nbp]]

Attachment: InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc.

InliningDecision_Error is always used to forward the error value coming from
inlining decision.

In the future, We would have to add a new InliningDecision_Alloc if we were
to add an allocation failure case, which does not carry an exception.

Comment 5

[Jan de Mooij [:jandem]]

Comment on attachment 8928949 [details] [diff] [review]
InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc.

Review of attachment 8928949 [details] [diff] [review]:
-----------------------------------------------------------------

Good find.

Comment 6

[Nicolas B. Pierron [:nbp]]

I do not think this assertion will cause any issue, at the moment these are only over-recurse or OOM exceptions which are being reported today.
The wrapping function will not even consider the AbortReason::Alloc vs AbortReason::Error values, and just forward if there is a pending exception:

https://searchfox.org/mozilla-central/source/js/src/jit/IonAnalysis.cpp#4236-4237

If these were to happen in other code path, then in the worst case these might cause MOZ_CRASH, which are not exploitable.

Safe to open and to ride the train from my point of view.

Comment 7

[Pulsebot]

Pushed by npierron@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e6be8071c22b
InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc. r=jandem

Comment 8

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/e6be8071c22b

Comment 9

[Gerry Chang [:gchang]]

Won't fix for 58, let it ride the train.