Closed
Bug 1437546
Opened 6 years ago
Closed 6 years ago
Assertion failure: error_, at mozilla-central/js/src/wasm/WasmValidate.cpp:54
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: luke)
Details
(Keywords: oss-fuzz)
Attachments
(2 files)
|
359 bytes,
application/x-javascript
|
Details | |
|
2.12 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
This bug was found by Google's OSS-Fuzz running their custom internal JS fuzzer. I am refiling it in our issue tracker.
root@f9a425957398:/src/mozilla-central/js/src# /out/js --fuzzing-safe --cpu-count=1 clusterfuzz-testcase-minimized-6248898260631552.js
Assertion failure: error_, at /src/mozilla-central/js/src/wasm/WasmValidate.cpp:54
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3276==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000002fd5611 bp 0x7ffcdaca40f0 sp 0x7ffcdaca4020 T0)
==3276==The signal is caused by a WRITE memory access.
==3276==Hint: address points to the zero page.
#0 0x2fd5610 in mozilla::UniquePtr<char [], JS::FreePolicy>::get() const /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:461:39
#1 0x2fd5610 in mozilla::UniquePtr<char [], JS::FreePolicy>::operator bool() const /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:458
#2 0x2fd5610 in js::wasm::Decoder::fail(unsigned long, char const*) /src/mozilla-central/js/src/wasm/WasmValidate.cpp:56
#3 0x2fd9b1c in js::wasm::Decoder::fail(char const*) /src/mozilla-central/js/src/wasm/WasmValidate.h:453:41
#4 0x2fd9b1c in js::wasm::DecodeLocalEntries(js::wasm::Decoder&, js::wasm::ModuleKind, mozilla::Vector<js::wasm::ValType, 8ul, js::SystemAllocPolicy>*) /src/mozilla-central/js/src/wasm/WasmValidate.cpp:343
#5 0x2e46909 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /src/mozilla-central/js/src/wasm/WasmIonCompile.cpp:4351:14
#6 0x2dcf1a3 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:648:14
#7 0x2dcfeb8 in js::wasm::ModuleGenerator::launchBatchCompile() /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:721:14
#8 0x2dd0ca1 in js::wasm::ModuleGenerator::finishFuncDefs() /src/mozilla-central/js/src/wasm/WasmGenerator.cpp:797:26
#9 0x2cadbaf in ModuleValidator::finish() /src/mozilla-central/js/src/wasm/AsmJS.cpp:2500:17
#10 0x2b70788 in CheckModule(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, unsigned int*) /src/mozilla-central/js/src/wasm/AsmJS.cpp:7526:29
#11 0x2b5eeb1 in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, bool*) /src/mozilla-central/js/src/wasm/AsmJS.cpp:8841:18
#12 0x83616a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS(js::frontend::ParseNode*) /src/mozilla-central/js/src/frontend/Parser.cpp:4074:10
#13 0x83616a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::asmJS(js::frontend::ParseNode*) /src/mozilla-central/js/src/frontend/Parser.cpp:4088
#14 0x83616a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) /src/mozilla-central/js/src/frontend/Parser.cpp:4167
#15 0x804af0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) /src/mozilla-central/js/src/frontend/Parser.cpp:4230:18
#16 0x82b832 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::FunctionBodyType) /src/mozilla-central/js/src/frontend/Parser.cpp:2714:14
#17 0x826a8d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) /src/mozilla-central/js/src/frontend/Parser.cpp:3808:16
#18 0x8c9ce4 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::standaloneFunction(JS::Handle<JSFunction*>, JS::Handle<js::Scope*>, mozilla::Maybe<unsigned int> const&, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Directives, js::frontend::Directives*) /src/mozilla-central/js/src/frontend/Parser.cpp:2603:10
#19 0x2ae1f61 in BytecodeCompiler::compileStandaloneFunction(JS::MutableHandle<JSFunction*>, js::GeneratorKind, js::FunctionAsyncKind, mozilla::Maybe<unsigned int> const&) /src/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:465:22
#20 0x2ae69a7 in js::frontend::CompileStandaloneFunction(JSContext*, JS::MutableHandle<JSFunction*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, mozilla::Maybe<unsigned int> const&, JS::Handle<js::Scope*>) /src/mozilla-central/js/src/frontend/BytecodeCompiler.cpp:718:21
#21 0x1d26c1e in CreateDynamicFunction(JSContext*, JS::CallArgs const&, js::GeneratorKind, js::FunctionAsyncKind) /src/mozilla-central/js/src/jsfun.cpp:1839:18
#22 0x1d237bb in js::Function(JSContext*, unsigned int, JS::Value*) /src/mozilla-central/js/src/jsfun.cpp:1882:12
#23 0xa16355 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:291:15
#24 0xa16355 in js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /src/mozilla-central/js/src/jscntxtinlines.h:324
#25 0x9d9dc9 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/mozilla-central/js/src/vm/Interpreter.cpp:568:20
#26 0x9a8c57 in Interpret(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:3088:18
#27 0x99861d in js::RunScript(JSContext*, js::RunState&) /src/mozilla-central/js/src/vm/Interpreter.cpp:423:12
#28 0x9dcab4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:706:15
#29 0x9ddacf in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /src/mozilla-central/js/src/vm/Interpreter.cpp:738:12
#30 0x1c12c71 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /src/mozilla-central/js/src/jsapi.cpp:4715:12
#31 0x1c132cb in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /src/mozilla-central/js/src/jsapi.cpp:4748:12
#32 0x5fde73 in RunFile(JSContext*, char const*, _IO_FILE*, bool) /src/mozilla-central/js/src/shell/js.cpp:826:14
#33 0x5fde73 in Process(JSContext*, char const*, bool, FileKind) /src/mozilla-central/js/src/shell/js.cpp:1179
#34 0x578d58 in ProcessArgs(JSContext*, js::cli::OptionParser*) /src/mozilla-central/js/src/shell/js.cpp:8474:14
#35 0x578d58 in Shell(JSContext*, js::cli::OptionParser*, char**) /src/mozilla-central/js/src/shell/js.cpp:8860
#36 0x578d58 in main /src/mozilla-central/js/src/shell/js.cpp:9317
#37 0x7fc8f70d082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#38 0x4604f8 in _start (/out/js+0x4604f8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/UniquePtr.h:461:39 in mozilla::UniquePtr<char [], JS::FreePolicy>::get() const
==3276==ABORTING
root@f9a425957398:/src/mozilla-central/js/src#
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → luke
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 1•6 years ago
|
||
WasmIonCompile.cpp uses DecodeLocalEntries() which checks the number of locals is less than MaxLocals, but asm.js wasm generation wasn't checking that. I also added a MaxParams check to be safe. All the other limits in WasmBinaryConstants.h were either module-level (and asm.js doesn't generate modules) or already checked (MaxBrTableElems).
Attachment #8950780 -
Flags: review?(bbouvier)
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8950780 [details] [diff] [review] clamp-asmjs-locals Review of attachment 8950780 [details] [diff] [review]: ----------------------------------------------------------------- Thanks.
Attachment #8950780 -
Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/466db29799d8 Odin: check MaxParams and MaxLocals when asm.js emits wasm (r=bbouvier)
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/466db29799d8
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in
before you can comment on or make changes to this bug.
Description
•