Closed Bug 1455703 Opened 7 years ago Closed 7 years ago

Crash [@ AstDecodeModuleTail] with OOM and WasmBinaryToText

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

oom.patch
1.22 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision cc0d7de218cb (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --cpu-count=2): oomTest(new Function(` (function(global) {})(this); function wasmFullPass(text, expected, maybeImports, ...args) { let binary = wasmTextToBinary(text); let module = new WebAssembly.Module(binary); let retext = wasmBinaryToText(binary); } wasmFullPass(\`(module)\`, -Math.pow(",")); wasmFullPass(\` (module (import \$imported "globals" "x" (global i32)) (global \$mut_local (mut i32) (i32.const 0)) (func \$get (result i32) i32.const 13 set_global \$mut_local get_global \$imported ) )\`, 13 + 42 + 37 + 42, { globals: {x: 42} }); wasmFullPass(\`(module (memory (export "memory") 1 2) (data (i32.const 0) "\\\\00\\\\01\\\\02" "\\\\03\\\\04\\\\05") (func (export "run") (result i32) i32.const 1 ) )\`, 0x06050403); `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x08999af4 in AstDecodeModuleTail (c=...) at js/src/wasm/WasmBinaryToAST.cpp:2250 #0 0x08999af4 in AstDecodeModuleTail (c=...) at js/src/wasm/WasmBinaryToAST.cpp:2250 #1 js::wasm::BinaryToAst (cx=<optimized out>, bytes=<optimized out>, length=<optimized out>, lifo=..., module=<optimized out>) at js/src/wasm/WasmBinaryToAST.cpp:2285 #2 0x0899ff27 in js::wasm::BinaryToText (cx=0xf6e1a800, bytes=0xf65afa50 "", length=100, buffer=..., sourceMap=0x0) at js/src/wasm/WasmBinaryToText.cpp:2031 #3 0x084f020e in WasmBinaryToText (cx=0xf6e1a800, argc=1, vp=0xffffba50) at js/src/builtin/TestingFunctions.cpp:713 #4 0x53d4bd08 in ?? () [...] #9 0x53c6cb85 in ?? () #10 0x083e2fbd in EnterJit (cx=<optimized out>, cx@entry=0xf6e1a800, state=..., code=0x53d5cb80 "\351\033") at js/src/jit/Jit.cpp:101 #11 0x083e3c9f in js::jit::MaybeEnterJit (cx=0xf6e1a800, state=...) at js/src/jit/Jit.cpp:163 #12 0x081e138f in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402 #13 0x081e19f5 in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #14 0x081e1ce0 in InternalCall (cx=cx@entry=0xf6e1a800, args=...) at js/src/vm/Interpreter.cpp:516 #15 0x081e1e9a in js::Call (cx=0xf6e1a800, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #16 0x08674d09 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2948 #17 0x084e8921 in OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1721 [...] #32 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9234 eax 0x0 0 ebx 0x0 0 ecx 0x0 0 edx 0x0 0 esi 0xf6e89ba0 -152527968 edi 0xf65afaae -161809746 ebp 0xffffb808 4294948872 esp 0xffffb400 4294947840 eip 0x8999af4 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+8932> => 0x8999af4 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+8932>: mov %dx,(%ebx,%eax,2) 0x8999af8 <js::wasm::BinaryToAst(JSContext*, unsigned char const*, unsigned int, js::LifoAlloc&, js::wasm::AstModule**)+8936>: add $0x1,%eax Only reproduces on a 32-bit build for me.
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20161117035128" and the hash "49305a317143402c791b71d667c0b1ca9c512e0b". The "bad" changeset has the timestamp "20161117041028" and the hash "eb0e39566b63239abd2b71cba08c5775e48ac1fd". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=49305a317143402c791b71d667c0b1ca9c512e0b&tochange=eb0e39566b63239abd2b71cba08c5775e48ac1fd
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Attached patch oom.patchSplinter Review
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8970185 - Flags: review?(luke)
Attachment #8970185 - Flags: review?(luke) → review+
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d0fe2832896c Check for OOM in AstDecodeModuleTail; r=luke
https://hg.mozilla.org/mozilla-central/rev/d0fe2832896c
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox61: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: