1435327 - Crash [@ js::CompartmentChecker::check] with OOM and ES6 Module

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 841512e696b9 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off):

lfLogBuffer = `
  let moduleRepo = {};
  setModuleResolveHook(function(x, specifier) {
        return moduleRepo[specifier];
  });
  let c = moduleRepo['c'] = parseModule("");
  let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;");
  d.declarationInstantiation();
`;
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
        break;
    } else {
        lfCodeBuffer += line + "\n";
    }
}
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
    try {
        oomTest(function() {
            let m = parseModule(lfVarx);
            m.declarationInstantiation();
            m.evaluation();
        });
    } catch (lfVare) {}
}


Backtrace:

received signal SIGSEGV, Segmentation fault.
js::CompartmentChecker::check (this=0xffff9cc0, str=0x0) at js/src/jscntxtinlines.h:109
#0  js::CompartmentChecker::check (this=0xffff9cc0, str=0x0) at js/src/jscntxtinlines.h:109
#1  0x0863d044 in js::CompartmentChecker::check<JSString*> (handle=..., this=0xffff9cc0) at js/src/jscntxtinlines.h:83
#2  js::assertSameCompartment<JS::Handle<JSObject*>, JS::Handle<JSString*>, JS::Handle<JSString*> > (t3=<synthetic pointer>, t2=<synthetic pointer>, t1=<synthetic pointer>, cx=<optimized out>) at js/src/jscntxtinlines.h:246
#3  JS::CreateError (cx=0xf6e1b800, type=JSEXN_SYNTAXERR, stack=..., fileName=..., lineNumber=1, columnNumber=9, report=0x0, message=..., rval=...) at js/src/jsexn.cpp:1099
#4  0x08835a35 in intrinsic_CreateModuleSyntaxError (cx=0xf6e1b800, argc=4, vp=0xffff9dd8) at js/src/vm/SelfHosting.cpp:386
#5  0x20caaf9e in ?? ()
[...]
#13 0x20c9bb87 in ?? ()
#14 0x083c288c in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x20cc74a0 "\351\034") at js/src/jit/Jit.cpp:101
#15 0x083c30ef in js::jit::MaybeEnterJit (cx=0xf6e1b800, state=...) at js/src/jit/Jit.cpp:163
#16 0x081a1a75 in js::RunScript (cx=0xf6e1b800, state=...) at js/src/vm/Interpreter.cpp:408
#17 0x081a2025 in js::InternalCallOrConstruct (cx=0xf6e1b800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#18 0x081a2320 in InternalCall (cx=cx@entry=0xf6e1b800, args=...) at js/src/vm/Interpreter.cpp:522
#19 0x081a248f in js::CallFromStack (cx=0xf6e1b800, args=...) at js/src/vm/Interpreter.cpp:528
#20 0x08283f2c in js::jit::DoCallFallback (cx=0xf6e1b800, frame=0xffffa8a8, stub_=0xf5509180, argc=0, vp=0xffffa868, res=...) at js/src/jit/BaselineIC.cpp:2375
[...]
#24 0x083c288c in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x20e18ca0 "\351\034") at js/src/jit/Jit.cpp:101
#25 0x083c30ef in js::jit::MaybeEnterJit (cx=0xf6e1b800, state=...) at js/src/jit/Jit.cpp:163
#26 0x081a1a75 in js::RunScript (cx=0xf6e1b800, state=...) at js/src/vm/Interpreter.cpp:408
#27 0x081a40f6 in js::ExecuteKernel (cx=0xf6e1b800, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=0xffffae88) at js/src/vm/Interpreter.cpp:706
#28 0x081a4617 in js::Execute (cx=0xf6e1b800, script=..., envChainArg=..., rval=0xffffae88) at js/src/vm/Interpreter.cpp:739
#29 0x081d0888 in js::ModuleObject::execute (cx=0xf6e1b800, self=..., rval=...) at js/src/builtin/ModuleObject.cpp:1118
#30 0x088276fa in intrinsic_ExecuteModule (cx=0xf6e1b800, argc=1, vp=0xffffae88) at js/src/vm/SelfHosting.cpp:2101
#31 0x20caaf9e in ?? ()
[...]
#37 0x20c9bb87 in ?? ()
#38 0x083c288c in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x20cc6680 "\351\034") at js/src/jit/Jit.cpp:101
#39 0x083c30ef in js::jit::MaybeEnterJit (cx=0xf6e1b800, state=...) at js/src/jit/Jit.cpp:163
#40 0x081a1a75 in js::RunScript (cx=0xf6e1b800, state=...) at js/src/vm/Interpreter.cpp:408
#41 0x081a2025 in js::InternalCallOrConstruct (cx=0xf6e1b800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:495
#42 0x081a2320 in InternalCall (cx=cx@entry=0xf6e1b800, args=...) at js/src/vm/Interpreter.cpp:522
#43 0x081a24ca in js::Call (cx=0xf6e1b800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:541
#44 0x085e4f49 in JS_CallFunction (cx=0xf6e1b800, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2996
#45 0x084b32c2 in OOMTest (cx=0xf6e1b800, argc=1, vp=0xffffbb20) at js/src/builtin/TestingFunctions.cpp:1653
#46 0x081acd29 in js::CallJSNative (cx=0xf6e1b800, native=0x84b2fa0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
[...]
#50 0x08283f2c in js::jit::DoCallFallback (cx=0xf6e1b800, frame=0xffffbb68, stub_=0xf59a2070, argc=1, vp=0xffffbb20, res=...) at js/src/jit/BaselineIC.cpp:2375
[...]
#54 0x083c288c in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x20cc03b0 "\351\034") at js/src/jit/Jit.cpp:101
[...]
#60 0x08283f2c in js::jit::DoCallFallback (cx=0xf6e1b800, frame=0xffffc368, stub_=0xf598f2f8, argc=1, vp=0xffffc328, res=...) at js/src/jit/BaselineIC.cpp:2375
#61 0x20ca86ca in ?? ()
#62 0xf598f2f8 in ?? ()
#63 0x20c9bb87 in ?? ()
#64 0x083c288c in EnterJit (cx=cx@entry=0xf6e1b800, state=..., code=0x20cbb010 "\351\034") at js/src/jit/Jit.cpp:101
#65 0x083c30ef in js::jit::MaybeEnterJit (cx=0xf6e1b800, state=...) at js/src/jit/Jit.cpp:163
#66 0x081a1a75 in js::RunScript (cx=0xf6e1b800, state=...) at js/src/vm/Interpreter.cpp:408
[...]
#74 Shell (envp=<optimized out>, op=0xffffcc0c, cx=0xf6e1b800) at js/src/shell/js.cpp:8851
#75 main (argc=5, argv=0xffffcdb4, envp=0xffffcdcc) at js/src/shell/js.cpp:9307
eax	0xffff9d68	-25240
ebx	0x8e11ff4	148971508
ecx	0xffff9cc0	-25408
edx	0x0	0
esi	0x0	0
edi	0x0	0
ebp	0xffff9c88	4294941832
esp	0xffff9c80	4294941824
eip	0x85e687b <js::CompartmentChecker::check(JSString*)+43>
=> 0x85e687b <js::CompartmentChecker::check(JSString*)+43>:	testb  $0x8,(%esi)
   0x85e687e <js::CompartmentChecker::check(JSString*)+46>:	jne    0x85e68e0 <js::CompartmentChecker::check(JSString*)+144>


Marking this s-s because it is a crash in the compartment checker and also it does not reproduce on a debug64 build for me, only on debug32. This seems strange to me for this type of crash.

Comment 1

[Jon Coppeard (:jonco)]

Attachment: bug1435327-filename-oom

This is a missing error check in intrinsic_CreateModuleSyntaxError().

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8948454 [details] [diff] [review]
bug1435327-filename-oom

Review of attachment 8948454 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, thanks!

::: js/src/jit-test/tests/modules/bug-1435327.js
@@ +1,1 @@
> +if (!('oomTest' in this))

does parseModule need to be tested against too?

Comment 3

[Jon Coppeard (:jonco)]

(In reply to Benjamin Bouvier [:bbouvier] from comment #2)
> does parseModule need to be tested against too?

This is always present in the shell.

Comment 4

[Jon Coppeard (:jonco)]

(In reply to Christian Holler (:decoder) from comment #0)
> Marking this s-s because it is a crash in the compartment checker and also
> it does not reproduce on a debug64 build for me, only on debug32. This seems
> strange to me for this type of crash.

This is a null dereference, so I don't think it's exploitable.  Also modules are nightly-only for now.  Unhiding this bug.

I don't know why it doesn't always reproduce but I think it's a quirk of our OOM testing.

Comment 5

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/24a18c195a8d
Fix error checking while constructing module syntax error r=bbouvier

Comment 6

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/24a18c195a8d