Closed Bug 1429028 Opened 7 years ago Closed 7 years ago

Crash [@ ParseExprBody] with infinite recursion involving wasmTextToBinary

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(3 files)

Bug 1429028: Remove unused JSContext arg to CheckRecursionLimitDontReport;
59 bytes, text/x-review-board-request
jandem
: review+
Details
Bug 1429028: Add a stack recursion check in the wasm::TextToBinary function;
59 bytes, text/x-review-board-request
luke
: review+
Details
updated.patch
5.77 KB, patch
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision ca379fcca95b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): evaluate(` for (var i = 0; i < 10; ++i) {} var N = 1 << 16; var m = new Map; for (var get = 0; i < N; i++) m.get(i) evaluate(\` var expr = '(get_local 0)'; for (var a = 1000; i --> 0; ) expr = \\\`(f32.neg \\\${expr})\\\`; var code = \\\`(module (func \\\${expr})\\\`; wasmTextToBinary(code); \`); `); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000e5cb59 in ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932 #0 0x0000000000e5cb59 in ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932 #1 0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950 #2 0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704 #3 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307 #4 ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932 #5 0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950 #6 0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704 #7 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307 #8 ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932 #9 0x0000000000e5e358 in ParseExprInsideParens (c=...) at js/src/wasm/WasmTextToBinary.cpp:2950 #10 0x0000000000e5e4a8 in ParseExpr (c=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:1704 #11 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307 #12 ParseExprBody (c=..., token=..., inParens=inParens@entry=true) at js/src/wasm/WasmTextToBinary.cpp:2932 [...] #127 0x0000000000e5cb6d in ParseUnaryOperator (inParens=true, op=js::wasm::Op::F32Neg, c=...) at js/src/wasm/WasmTextToBinary.cpp:2307 rax 0xffffffffffbc9d54 -4416172 rbx 0x7fffffff8d00 140737488325888 rcx 0xe5cb50 15059792 rdx 0x1 1 rsi 0x7fffff7ff0a8 140737479962792 rdi 0x3e 62 rbp 0x7fffff7ff080 140737479962752 rsp 0x7fffff7fef80 140737479962496 r8 0x7ffff3a41a14 140737281006100 r9 0x3b 59 r10 0x100003e00 4294983168 r11 0x1 1 r12 0x7fffffff8d00 140737488325888 r13 0x7ffff414a020 140737288380448 r14 0x1 1 r15 0x7fffffff8d00 140737488325888 rip 0xe5cb59 <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+537> => 0xe5cb59 <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+537>: callq 0xe40e30 <(anonymous namespace)::WasmToken::op() const> 0xe5cb5e <ParseExprBody((anonymous namespace)::WasmParseContext&, (anonymous namespace)::WasmToken, bool)+542>: movzbl %r14b,%esi
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
(unless it helps fuzzers, there's no need to uplift this; this isn't exposed to web content)
status-firefox57: --- → wontfix
status-firefox58: --- → wontfix
Comment on attachment 8941039 [details] Bug 1429028: Add a stack recursion check in the wasm::TextToBinary function; https://reviewboard.mozilla.org/r/211340/#review217128 Thanks!
Attachment #8941039 - Flags: review?(luke) → review+
Comment on attachment 8941038 [details] Bug 1429028: Remove unused JSContext arg to CheckRecursionLimitDontReport; https://reviewboard.mozilla.org/r/211338/#review217482 Ah, nice find.
Attachment #8941038 - Flags: review?(jdemooij) → review+
Status: ASSIGNED → NEW
Priority: -- → P1
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/47706f72f1d3 Remove unused JSContext arg to CheckRecursionLimitDontReport; r=jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/316e5fab18f1 Add a stack recursion check in the wasm::TextToBinary function; r=luke
Backout by apavel@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/59a7ff5e790d Backed out 2 changesets for spidermonkey bustages on js/src/jit-test/tests/wasm/compiler-frame-depth.js r=backout a=backout on a CLOSED TREE
Attached patch updated.patchSplinter Review
One test (compiler-frame-depth) was triggering the stack limit on ASAN optimized builds; just ignore the error in this very specific case (ASAN is known to create bigger stack frames, making it prone to hit the stack limits more easily).
Attachment #8941039 - Attachment is obsolete: true
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b178ce9de1db Remove unused JSContext arg to CheckRecursionLimitDontReport; r=jandem https://hg.mozilla.org/integration/autoland/rev/5c7f59616c3b Add a stack recursion check in the wasm::TextToBinary function; r=luke
https://hg.mozilla.org/mozilla-central/rev/b178ce9de1db https://hg.mozilla.org/mozilla-central/rev/5c7f59616c3b
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: