Crash [@ ParseExprBody] with infinite recursion involving wasmTextToBinary

RESOLVED FIXED in Firefox 59

Status

()

P1
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: decoder, Assigned: bbouvier)

Tracking

(Blocks: 1 bug, {assertion, jsbugmon, testcase})

Trunk
mozilla59
x86_64
Linux
assertion, jsbugmon, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox57 wontfix, firefox58 wontfix, firefox59 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision ca379fcca95b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

evaluate(`
  for (var i = 0; i < 10; ++i) {}
  var N = 1 << 16;
  var m = new Map;
  for (var get  = 0; i < N; i++)
    m.get(i)
  evaluate(\`
    var expr = '(get_local 0)';
    for (var a = 1000; i --> 0; )
      expr = \\\`(f32.neg \\\${expr})\\\`;
    var code = \\\`(module (func \\\${expr})\\\`;
  wasmTextToBinary(code);
  \`);
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000000000e5cb59 in ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932
#0  0x0000000000e5cb59 in ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932
#1  0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950
#2  0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704
#3  0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307
#4  ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932
#5  0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950
#6  0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704
#7  0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307
#8  ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932
#9  0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950
#10 0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704
#11 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307
#12 ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932
[...]
#127 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307
rax	0xffffffffffbc9d54	-4416172
rbx	0x7fffffff8d00	140737488325888
rcx	0xe5cb50	15059792
rdx	0x1	1
rsi	0x7fffff7ff0a8	140737479962792
rdi	0x3e	62
rbp	0x7fffff7ff080	140737479962752
rsp	0x7fffff7fef80	140737479962496
r8	0x7ffff3a41a14	140737281006100
r9	0x3b	59
r10	0x100003e00	4294983168
r11	0x1	1
r12	0x7fffffff8d00	140737488325888
r13	0x7ffff414a020	140737288380448
r14	0x1	1
r15	0x7fffffff8d00	140737488325888
rip	0xe5cb59 <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+537>
=> 0xe5cb59 <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+537>:	callq  0xe40e30 <(anonymous namespace)::WasmToken::op() const>
   0xe5cb5e <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+542>:	movzbl %r14b,%esi
(Assignee)

Updated

a year ago
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Comment hidden (mozreview-request)
(Assignee)

Comment 3

a year ago
(unless it helps fuzzers, there's no need to uplift this; this isn't exposed to web content)
status-firefox57: --- → wontfix
status-firefox58: --- → wontfix

Comment 4

a year ago
mozreview-review
Comment on attachment 8941039 [details]
Bug 1429028: Add a stack recursion check in the wasm::TextToBinary function;

https://reviewboard.mozilla.org/r/211340/#review217128

Thanks!
Attachment #8941039 - Flags: review?(luke) → review+

Comment 5

a year ago
mozreview-review
Comment on attachment 8941038 [details]
Bug 1429028: Remove unused JSContext arg to CheckRecursionLimitDontReport;

https://reviewboard.mozilla.org/r/211338/#review217482

Ah, nice find.
Attachment #8941038 - Flags: review?(jdemooij) → review+
Status: ASSIGNED → NEW
Priority: -- → P1

Comment 6

a year ago
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/47706f72f1d3
Remove unused JSContext arg to CheckRecursionLimitDontReport; r=jandem
https://hg.mozilla.org/integration/mozilla-inbound/rev/316e5fab18f1
Add a stack recursion check in the wasm::TextToBinary function; r=luke

Comment 7

a year ago
Backout by apavel@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/59a7ff5e790d
Backed out 2 changesets for spidermonkey bustages on js/src/jit-test/tests/wasm/compiler-frame-depth.js r=backout a=backout on a CLOSED TREE
(Assignee)

Comment 9

a year ago
Posted patch updated.patchSplinter Review
One test (compiler-frame-depth) was triggering the stack limit on ASAN optimized builds; just ignore the error in this very specific case (ASAN is known to create bigger stack frames, making it prone to hit the stack limits more easily).
Attachment #8941039 - Attachment is obsolete: true
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 12

a year ago
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b178ce9de1db
Remove unused JSContext arg to CheckRecursionLimitDontReport; r=jandem
https://hg.mozilla.org/integration/autoland/rev/5c7f59616c3b
Add a stack recursion check in the wasm::TextToBinary function; r=luke

Comment 13

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b178ce9de1db
https://hg.mozilla.org/mozilla-central/rev/5c7f59616c3b
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox59: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
status-firefox-esr52: --- → wontfix
You need to log in before you can comment on or make changes to this bug.