Closed Bug 1437546 Opened 7 years ago Closed 7 years ago

Assertion failure: error_, at mozilla-central/js/src/wasm/WasmValidate.cpp:54

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox60 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: luke)

Details

(Keywords: oss-fuzz)

Attachments

(2 files)

clusterfuzz-testcase-minimized-6248898260631552.js
359 bytes, application/x-javascript
Details
clamp-asmjs-locals
2.12 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review
This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker. root@f9a425957398:/src/mozilla-central/js/src# /out/js --fuzzing-safe --cpu-count=1 clusterfuzz-testcase-minimized-6248898260631552.js Assertion failure: error_, at /src/mozilla-central/js/src/wasm/WasmValidate.cpp:54 AddressSanitizer:DEADLYSIGNAL ================================================================= ==3276==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002fd5611 bp 0x7ffcdaca40f0 sp 0x7ffcdaca4020 T0) ==3276==The signal is caused by a WRITE memory access. ==3276==Hint: address points to the zero page. #0 0x2fd5610 in mozilla::UniquePtr<char [], JS::FreePolicy>::get() const /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:461:39 #1 0x2fd5610 in mozilla::UniquePtr<char [], JS::FreePolicy>::operator bool() const /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:458 #2 0x2fd5610 in js::wasm::Decoder::fail(unsigned long, char const*) /src/mozilla-central/js/src/wasm/WasmValidate.cpp:56 #3 0x2fd9b1c in js::wasm::Decoder::fail(char const*) /src/mozilla-central/js/src/wasm/WasmValidate.h:453:41 #4 0x2fd9b1c in js::wasm::DecodeLocalEntries(js::wasm::Decoder&, js::wasm::ModuleKind, mozilla::Vector<js::wasm::ValType, 8ul, js::SystemAllocPolicy>*) /src/mozilla-central/js/src/wasm/WasmValidate.cpp:343 #5 0x2e46909 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /src/mozilla-central/js/src/wasm/WasmIonCompile.cpp:4351:14 #6 0x2dcf1a3 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:648:14 #7 0x2dcfeb8 in js::wasm::ModuleGenerator::launchBatchCompile() /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:721:14 #8 0x2dd0ca1 in js::wasm::ModuleGenerator::finishFuncDefs() /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:797:26 #9 0x2cadbaf in ModuleValidator::finish() /src/mozilla-central/js/src/wasm/AsmJS.cpp:2500:17 #10 0x2b70788 in CheckModule(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, unsigned int*) /src/mozilla-central/js/src/wasm/AsmJS.cpp:7526:29 #11 0x2b5eeb1 in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, bool*) /src/mozilla-central/js/src/wasm/AsmJS.cpp:8841:18 #12 0x83616a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS(js::frontend::ParseNode*) /src/mozilla-central/js/src/frontend/Parser.cpp:4074:10 #13 0x83616a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::asmJS(js::frontend::ParseNode*) /src/mozilla-central/js/src/frontend/Parser.cpp:4088 #14 0x83616a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) /src/mozilla-central/js/src/frontend/Parser.cpp:4167 #15 0x804af0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) /src/mozilla-central/js/src/frontend/Parser.cpp:4230:18 #16 0x82b832 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::FunctionBodyType) /src/mozilla-central/js/src/frontend/Parser.cpp:2714:14 #17 0x826a8d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) /src/mozilla-central/js/src/frontend/Parser.cpp:3808:16 #18 0x8c9ce4 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*) /src/mozilla-central/js/src/frontend/Parser.cpp:2603:10 #19 0x2ae1f61 in BytecodeCompiler::compileStandaloneFunction(JS::MutableHandle<JSFunction*>, js::GeneratorKind, js::FunctionAsyncKind, mozilla::Maybe<unsigned int> const&) /src/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:465:22 #20 0x2ae69a7 in js::frontend::CompileStandaloneFunction(JSContext*, JS::MutableHandle<JSFunction*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, mozilla::Maybe<unsigned int> const&, JS::Handle<js::Scope*>) /src/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:718:21 #21 0x1d26c1e in CreateDynamicFunction(JSContext*, JS::CallArgs const&, js::GeneratorKind, js::FunctionAsyncKind) /src/mozilla-central/js/src/jsfun.cpp:1839:18 #22 0x1d237bb in js::Function(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/jsfun.cpp:1882:12 #23 0xa16355 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:291:15 #24 0xa16355 in js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:324 #25 0x9d9dc9 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/mozilla-central/js/src/vm/Interpreter.cpp:568:20 #26 0x9a8c57 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:3088:18 #27 0x99861d in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:423:12 #28 0x9dcab4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:706:15 #29 0x9ddacf in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:738:12 #30 0x1c12c71 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4715:12 #31 0x1c132cb in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4748:12 #32 0x5fde73 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:826:14 #33 0x5fde73 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1179 #34 0x578d58 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8474:14 #35 0x578d58 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8860 #36 0x578d58 in main /src/mozilla-central/js/src/shell/js.cpp:9317 #37 0x7fc8f70d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #38 0x4604f8 in _start (/out/js+0x4604f8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:461:39 in mozilla::UniquePtr<char [], JS::FreePolicy>::get() const ==3276==ABORTING root@f9a425957398:/src/mozilla-central/js/src#
Assignee: nobody → luke
Priority: -- → P1
WasmIonCompile.cpp uses DecodeLocalEntries() which checks the number of locals is less than MaxLocals, but asm.js wasm generation wasn't checking that. I also added a MaxParams check to be safe. All the other limits in WasmBinaryConstants.h were either module-level (and asm.js doesn't generate modules) or already checked (MaxBrTableElems).
Attachment #8950780 - Flags: review?(bbouvier)
Comment on attachment 8950780 [details] [diff] [review] clamp-asmjs-locals Review of attachment 8950780 [details] [diff] [review]: ----------------------------------------------------------------- Thanks.
Attachment #8950780 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/466db29799d8 Odin: check MaxParams and MaxLocals when asm.js emits wasm (r=bbouvier)
https://hg.mozilla.org/mozilla-central/rev/466db29799d8
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: