Closed Bug 1454922 Opened 7 years ago Closed 7 years ago

Hit MOZ_CRASH(Function return type) at js/src/wasm/WasmBaselineCompile.cpp:3433 or Crash [@ js::wasm::BaseCompiler::saveResult]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1454923
Tracking Flags:
Tracking Status
firefox61 --- fix-optional

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:bisect])

The following testcase crashes on mozilla-central revision f94b64e00202 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --wasm-gc): var evalInFrame = (function evalInFrame(global) { var dbgGlobal = newGlobal(); var dbg = new dbgGlobal.Debugger(); dbg.addDebuggee(global); })(this); let lfData = new Uint8Array([0,97,115,109,1,0,0,0,1,135,128,128,128,0,1,96,2,111,127,1,111,3,130, 128,128,128,0,1,0,6,129,128,128,128,0,0,7,136,128,128,128,0,1,4,116, 101,115,116,0,0,10,160,128,128,128,0,1,154,128,128,128,0,0,2,111,3, 111,32,1,65,1,106,34,1,65,10,70,4,64,32,0,15,11,12,0,11,11,11]); lfModule = new WebAssembly.Module(lfData.buffer); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5eff700 (LWP 3290)] 0x0000000000d621c8 in js::wasm::BaseCompiler::saveResult (this=this@entry=0x7ffff5efcc50) at js/src/wasm/WasmBaselineCompile.cpp:3433 #0 0x0000000000d621c8 in js::wasm::BaseCompiler::saveResult (this=this@entry=0x7ffff5efcc50) at js/src/wasm/WasmBaselineCompile.cpp:3433 #1 0x0000000000d2acf1 in js::wasm::BaseCompiler::endFunction (this=0x7ffff5efcc50) at js/src/wasm/WasmBaselineCompile.cpp:3480 #2 js::wasm::BaseCompiler::emitFunction (this=0x7ffff5efcc50) at js/src/wasm/WasmBaselineCompile.cpp:10009 #3 js::wasm::BaselineCompileFunctions (env=..., lifo=..., inputs=..., code=0x7ffff4967488, error=0x7ffff5efdf18) at js/src/wasm/WasmBaselineCompile.cpp:10154 #4 0x0000000000d7b99d in ExecuteCompileTask (task=0x7ffff4967208, error=error@entry=0x7ffff5efdf18) at js/src/wasm/WasmGenerator.cpp:627 #5 0x0000000000d7d3a1 in js::wasm::ExecuteCompileTaskFromHelperThread (task=<optimized out>, task@entry=0x7ffff4967208) at js/src/wasm/WasmGenerator.cpp:645 #6 0x0000000000b11b27 in js::HelperThread::handleWasmWorkload (this=0x7ffff5f05c00, locked=..., mode=<optimized out>) at js/src/vm/HelperThreads.cpp:1760 #7 0x0000000000b0036c in js::HelperThread::threadLoop (this=this@entry=0x7ffff5f05c00) at js/src/vm/HelperThreads.cpp:2249 #8 0x0000000000b00450 in js::HelperThread::ThreadMain (arg=0x7ffff5f05c00) at js/src/vm/HelperThreads.cpp:1733 #9 0x0000000000b238b2 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f18050) at js/src/threading/Thread.h:242 #10 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f18050) at js/src/threading/Thread.h:235 #11 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5eff700) at pthread_create.c:333 #12 0x00007ffff6c383dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff5efcc50 140737319521360 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7ffff5efcab0 140737319520944 rsp 0x7ffff5efca80 140737319520896 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff5eff700 140737319532288 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff48798a0 140737295915168 r13 0x7fffffffb900 140737488337152 r14 0x0 0 r15 0x7ffff5efd2f0 140737319523056 rip 0xd621c8 <js::wasm::BaseCompiler::saveResult()+296> => 0xd621c8 <js::wasm::BaseCompiler::saveResult()+296>: movl $0x0,0x0 0xd621d3 <js::wasm::BaseCompiler::saveResult()+307>: ud2
I assume this is the same bug? #0 js::wasm::BaseCompiler::restoreResult (this=<optimized out>) at js/src/wasm/WasmBaselineCompile.cpp:3457 #1 js::wasm::BaseCompiler::endFunction (this=0x7ffff5efd760) at js/src/wasm/WasmBaselineCompile.cpp:3483 #2 js::wasm::BaseCompiler::emitFunction (this=0x7ffff5efd760) at js/src/wasm/WasmBaselineCompile.cpp:10009 #3 0x0000000000aa7402 in js::wasm::BaselineCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff4aea938, error=0x7ffff5efe630) at js/src/wasm/WasmBaselineCompile.cpp:10154 #4 0x0000000000ac9a77 in ExecuteCompileTask (task=task@entry=0x7ffff4aea750, error=error@entry=0x7ffff5efe630) at js/src/wasm/WasmGenerator.cpp:627 #5 0x0000000000ad18eb in js::wasm::ExecuteCompileTaskFromHelperThread (task=task@entry=0x7ffff4aea750) at js/src/wasm/WasmGenerator.cpp:645 #6 0x000000000091f032 in js::HelperThread::handleWasmWorkload (this=0x7ffff5f04c00, locked=..., mode=<optimized out>) at js/src/vm/HelperThreads.cpp:1760 #7 0x0000000000917d5c in js::HelperThread::threadLoop (this=0x7ffff5f04c00) at js/src/vm/HelperThreads.cpp:2249 #8 0x0000000000921f9a in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f18050) at js/src/threading/Thread.h:242 #9 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f18050) at js/src/threading/Thread.h:235 #10 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5eff700) at pthread_create.c:333 #11 0x00007ffff6c3141d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x1c6b1c0 29798848 rbx 0x7ffff5efd760 140737319524192 rcx 0xeaf740 15398720 rdx 0x0 0 rsi 0x7ffff5efdb50 140737319525200 rdi 0x7ffff5efdd20 140737319525664 rbp 0x0 0 rsp 0x7ffff5efd5e0 140737319523808 r8 0xffffffff 4294967295 r9 0x7ffff5efe030 140737319526448 r10 0xda 218 r11 0x6 6 r12 0x6f 111 r13 0x7ffff5efd720 140737319524128 r14 0x7ffff4aea7b8 140737298474936 r15 0x7ffff5efd6f0 140737319524080 rip 0xaa7034 <js::wasm::BaseCompiler::emitFunction()+1268> => 0xaa7034 <js::wasm::BaseCompiler::emitFunction()+1268>: movl $0x0,0x0 0xaa703f <js::wasm::BaseCompiler::emitFunction()+1279>: ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Plausibly a verifier bug.
Group: core-security
Since the code MOZ_CRASHes it's not a security problem right here but let's assume the Ion code might be until we've looked.
Nahh, it's run with --wasm-gc, it's just the same cause as bug 1454923.
This is an automated crash issue comment: Summary: Crash [@ js::wasm::BaseCompiler::restoreResult] Build version: mozilla-central revision f94b64e00202 Build flags: --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize Runtime options: --fuzzing-safe --wasm-gc --ion-offthread-compile=off Testcase: var g = newGlobal(); var dbg = new g.Debugger(this); let lfData = new Uint8Array([0,97,115,109,1,0,0,0,1,135,128,128,128,0,1,96,2,111,127, 1,111,3,130,128,128,128,0,1,0,6,129,128,128,128,0,0,7,136, 128,128,128,0,1,4,116,101,115,116,0,0,10,162,128,128,128, 0,1,156,128,128,128,0,0,2,64,3,64,32,1,65,1,106,34,1,65,10, 76,4,64,12,1,5,32,0,15,11,11,11,0,11]); lfModule = new WebAssembly.Module(lfData.buffer); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff5eff700 (LWP 5116)] js::wasm::BaseCompiler::restoreResult (this=<optimized out>) at js/src/wasm/WasmBaselineCompile.cpp:3457 #0 js::wasm::BaseCompiler::restoreResult (this=<optimized out>) at js/src/wasm/WasmBaselineCompile.cpp:3457 #1 js::wasm::BaseCompiler::endFunction (this=0x7ffff5efd760) at js/src/wasm/WasmBaselineCompile.cpp:3483 #2 js::wasm::BaseCompiler::emitFunction (this=0x7ffff5efd760) at js/src/wasm/WasmBaselineCompile.cpp:10009 #3 0x0000000000aa7402 in js::wasm::BaselineCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff4ae8938, error=0x7ffff5efe630) at js/src/wasm/WasmBaselineCompile.cpp:10154 #4 0x0000000000ac9a77 in ExecuteCompileTask (task=task@entry=0x7ffff4ae8750, error=error@entry=0x7ffff5efe630) at js/src/wasm/WasmGenerator.cpp:627 #5 0x0000000000ad18eb in js::wasm::ExecuteCompileTaskFromHelperThread (task=task@entry=0x7ffff4ae8750) at js/src/wasm/WasmGenerator.cpp:645 #6 0x000000000091f032 in js::HelperThread::handleWasmWorkload (this=0x7ffff5f04c00, locked=..., mode=<optimized out>) at js/src/vm/HelperThreads.cpp:1760 #7 0x0000000000917d5c in js::HelperThread::threadLoop (this=0x7ffff5f04c00) at js/src/vm/HelperThreads.cpp:2249 #8 0x0000000000921f9a in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f18050) at js/src/threading/Thread.h:242 #9 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f18050) at js/src/threading/Thread.h:235 #10 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5eff700) at pthread_create.c:333 #11 0x00007ffff6c383dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x1c6b1c0 29798848 rbx 0x7ffff5efd760 140737319524192 rcx 0xeaf740 15398720 rdx 0x0 0 rsi 0x7ffff5efdb50 140737319525200 rdi 0x7ffff5efdd20 140737319525664 rbp 0x0 0 rsp 0x7ffff5efd5e0 140737319523808 r8 0xffffffff 4294967295 r9 0x7ffff5efe030 140737319526448 r10 0xda 218 r11 0x6 6 r12 0x6f 111 r13 0x7ffff5efd720 140737319524128 r14 0x7ffff4ae87b8 140737298466744 r15 0x7ffff5efd6f0 140737319524080 rip 0xaa7034 <js::wasm::BaseCompiler::emitFunction()+1268> => 0xaa7034 <js::wasm::BaseCompiler::emitFunction()+1268>: movl $0x0,0x0 0xaa703f <js::wasm::BaseCompiler::emitFunction()+1279>: ud2
I don't have rights to open up. I've checked both test cases and it's just a dup of bug 1454923.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.