1455702 - Crash [@ ResolveExpr] with wasmTextToBinary

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision cc0d7de218cb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --baseline-eager --ion-offthread-compile=off):

oomTest(function() {
  eval(`
    new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(\`
      (module
        (func (export "run") call_indirect \$v2v)
      )\`)), 0);
  `);
});


Backtrace:

received signal SIGSEGV, Segmentation fault.
ResolveExpr (r=..., expr=...) at js/src/wasm/WasmTextToBinary.cpp:4349
#0  ResolveExpr (r=..., expr=...) at js/src/wasm/WasmTextToBinary.cpp:4349
#1  0x08a20bb6 in ResolveCallIndirect (c=..., r=...) at js/src/wasm/WasmTextToBinary.cpp:4133
#2  ResolveExpr (r=..., expr=...) at js/src/wasm/WasmTextToBinary.cpp:4367
#3  0x08a2220a in ResolveFunc (func=..., r=...) at js/src/wasm/WasmTextToBinary.cpp:4433
#4  ResolveModule (lifo=..., module=module@entry=0xf6edb010, error=error@entry=0xffffa064) at js/src/wasm/WasmTextToBinary.cpp:4531
#5  0x08a22442 in js::wasm::TextToBinary (text=0xf5645100 u"\n      (module\n        (func (export \"run\") call_indirect $v2v)\n      )", stackLimit=4293906433, bytes=0xffffa098, error=0xffffa064) at js/src/wasm/WasmTextToBinary.cpp:5585
#6  0x084b9537 in WasmTextToBinary (cx=<optimized out>, argc=1, vp=0xf5bffc48) at js/src/builtin/TestingFunctions.cpp:655
#7  0x081ed899 in js::CallJSNative (cx=0xf6e1d800, native=0x84b92d0 <WasmTextToBinary(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280
#8  0x081e2aad in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#9  0x081e2e50 in InternalCall (cx=cx@entry=0xf6e1d800, args=...) at js/src/vm/Interpreter.cpp:516
#10 0x081e2fcf in js::CallFromStack (cx=0xf6e1d800, args=...) at js/src/vm/Interpreter.cpp:522
#11 0x082be264 in js::jit::DoCallFallback (cx=<optimized out>, frame=0xf5bffca8, stub_=0xf56930b0, argc=1, vp=0xf5bffc48, res=...) at js/src/jit/BaselineIC.cpp:2380
#12 0x085f5ed0 in js::jit::Simulator::softwareInterrupt (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:2707
#13 0x085f66d6 in js::jit::Simulator::decodeType7 (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:3876
#14 0x085f45c2 in js::jit::Simulator::instructionDecode (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:4856
#15 0x085f82ea in js::jit::Simulator::execute<false> (this=0xf6e58000) at js/src/jit/arm/Simulator-arm.cpp:4911
#16 js::jit::Simulator::callInternal (this=0xf6e58000, entry=0x204be800 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4991
#17 0x085f8509 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:5074
#18 0x083cbad0 in EnterJit (cx=<optimized out>, cx@entry=0xf6e1d800, state=..., code=0x204e0540 "\004\340-\345\a") at js/src/jit/Jit.cpp:101
#19 0x083cc80f in js::jit::MaybeEnterJit (cx=0xf6e1d800, state=...) at js/src/jit/Jit.cpp:163
#20 0x081e24ff in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402
#21 0x081e4e39 in js::ExecuteKernel (cx=<optimized out>, script=..., envChainArg=..., newTargetValue=..., evalInFrame=..., result=<optimized out>) at js/src/vm/Interpreter.cpp:700
#22 0x0821a77a in EvalKernel (cx=<optimized out>, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=..., pc=0xf57a9275 "{\001", vp=...) at js/src/builtin/Eval.cpp:323
#23 0x0821ae20 in js::DirectEval (cx=<optimized out>, v=..., vp=...) at js/src/builtin/Eval.cpp:433
#24 0x082be8ad in js::jit::DoCallFallback (cx=<optimized out>, frame=0xf5bffdd8, stub_=0xf57b9050, argc=1, vp=0xf5bffd98, res=...) at js/src/jit/BaselineIC.cpp:2364
#25 0x085f5ed0 in js::jit::Simulator::softwareInterrupt (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:2707
#26 0x085f66d6 in js::jit::Simulator::decodeType7 (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:3876
#27 0x085f45c2 in js::jit::Simulator::instructionDecode (this=0xf6e58000, instr=0xf6e78164) at js/src/jit/arm/Simulator-arm.cpp:4856
#28 0x085f82ea in js::jit::Simulator::execute<false> (this=0xf6e58000) at js/src/jit/arm/Simulator-arm.cpp:4911
#29 js::jit::Simulator::callInternal (this=0xf6e58000, entry=0x204be800 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4991
#30 0x085f8509 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:5074
#31 0x083cbad0 in EnterJit (cx=<optimized out>, cx@entry=0xf6e1d800, state=..., code=0x204cc718 "\004\340-\345\a") at js/src/jit/Jit.cpp:101
#32 0x083cc80f in js::jit::MaybeEnterJit (cx=0xf6e1d800, state=...) at js/src/jit/Jit.cpp:163
#33 0x081e24ff in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402
#34 0x081e2b65 in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489
#35 0x081e2e50 in InternalCall (cx=cx@entry=0xf6e1d800, args=...) at js/src/vm/Interpreter.cpp:516
#36 0x081e300a in js::Call (cx=0xf6e1d800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#37 0x086384e9 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2948
#38 0x084c9001 in OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1721
[...]
#61 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9234
eax	0x0	0
ebx	0x8e3aff4	149139444
ecx	0x8a203c0	144835520
edx	0x0	0
esi	0x0	0
edi	0x0	0
ebp	0xffff9be8	4294941672
esp	0xffff9b70	4294941552
eip	0x8a20254 <ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&)+36>
=> 0x8a20254 <ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&)+36>:	cmpl   $0x22,0x4(%edi)
   0x8a20258 <ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&)+40>:	ja     0x8a20af8 <ResolveExpr((anonymous namespace)::Resolver&, js::wasm::AstExpr&)+2248>


For some reason this only reproduces in the ARM simulator.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/045ded11d3f8
user:        Lars T Hansen
date:        Fri Dec 15 13:10:23 2017 -0600
summary:     Bug 1430161 - Factor ARM disassembler, implement for ARM64.  r=nbp

This iteration took 271.763 seconds to run.

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: oom.patch

Comment 3

[Luke Wagner [:luke]]

Comment on attachment 8970187 [details] [diff] [review]
oom.patch

Review of attachment 8970187 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 4

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/11205dbb6d67
Check allocation in ParseCallIndirect in wasm::TextToBinary; r=luke

Comment 5

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/11205dbb6d67