Closed Bug 1465081 Opened Last year Closed Last year

Null-dereference READ · AppendNameInBytecode

Categories

(Core :: Javascript: WebAssembly, defect)

Product:
Core
Component:
Javascript: WebAssembly
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: bbouvier)

References

Details

(Keywords: oss-fuzz)

Attachments

(2 files)

clusterfuzz-testcase-minimized-5696597647163392.js
5.10 KB, application/x-javascript
Details
fix.patch
3.63 KB, patch
luke
: review+
Details | Diff | Splinter Review 
Found by Google's OSS-Fuzz, I am re-filing for tracking in our bugtracker.

/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js --cpu-count=2 --disable-oom-functions --fuzzing-safe /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-51.js

[Environment] ASAN_OPTIONS = redzone=16:strict_memcmp=0:allow_user_segv_handler=1:allocator_may_return_null=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=0:alloc_dealloc_mismatch=0:print_scariness=1:max_uar_stack_size_log=16:detect_odr_violation=0:handle_sigill=1:coverage=0:use_sigaltstack=1:fast_unwind_on_fatal=1:detect_leaks=0:print_summary=1:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:symbolize=0:handle_segv=1
	
	AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==1849==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00000275993a bp 0x7ffef4831df0 sp 0x7ffef4831df0 T0)
	==1849==The signal is caused by a READ memory access.
	==1849==Hint: address points to the zero page.
	SCARINESS: 10 (null-deref)
	#0 0x2759939 in mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::length() const mozilla-central/js/src/build_DBG.OBJ/dist/include/mozilla/Vector.h:0:34
	#1 0x2759939 in AppendNameInBytecode(mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, js::wasm::NameInBytecode const&, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) mozilla-central/js/src/wasm/WasmCode.cpp:938
	#2 0x2759530 in js::wasm::Metadata::getFuncName(js::wasm::Metadata::NameContext, mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, unsigned int, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) const mozilla-central/js/src/wasm/WasmCode.cpp:963:14
	#3 0x285d5c5 in js::wasm::Metadata::getFuncNameBeforeLocation(mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const*, unsigned int, mozilla::Vector<char, 0ul, js::SystemAllocPolicy>*) const mozilla-central/js/src/wasm/WasmCode.h:460:16
	#4 0x285d5c5 in js::wasm::Instance::getFuncDisplayAtom(JSContext*, unsigned int) const mozilla-central/js/src/wasm/WasmInstance.cpp:952
	#5 0x285cf67 in js::wasm::WasmFrameIter::functionDisplayAtom() const mozilla-central/js/src/wasm/WasmFrameIter.cpp:190:32
	#6 0x22398f1 in js::SavedStacks::insertFrames(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/vm/SavedStacks.cpp:1482:41
	#7 0x22381d6 in js::SavedStacks::saveCurrentStack(JSContext*, JS::MutableHandle<js::SavedFrame*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/vm/SavedStacks.cpp:1295:12
	#8 0x1af7b07 in JS::CaptureCurrentStack(JSContext*, JS::MutableHandle<JSObject*>, mozilla::Variant<JS::AllFrames, JS::MaxFrames, JS::FirstSubsumedFrame>&&) mozilla-central/js/src/jsapi.cpp:7803:31
	#9 0x1b02b7a in CaptureStack(JSContext*, JS::MutableHandle<JSObject*>) mozilla-central/js/src/jsexn.cpp:369:12
	#10 0x1b0554e in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) mozilla-central/js/src/jsexn.cpp:686:10
	#11 0x1fe70ee in ReportError(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) mozilla-central/js/src/vm/JSContext.cpp:249:5
	#12 0x1fe70ee in js::ReportErrorNumberVA(JSContext*, unsigned int, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) mozilla-central/js/src/vm/JSContext.cpp:836
	#13 0x1ae80f3 in JS_ReportErrorNumberUTF8VA(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, __va_list_tag*) mozilla-central/js/src/jsapi.cpp:6528:5
	#14 0x1ae80f3 in JS_ReportErrorNumberUTF8(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) mozilla-central/js/src/jsapi.cpp:6518
	#15 0x2796a81 in ReportError(JSContext*, unsigned int) mozilla-central/js/src/wasm/WasmBuiltins.cpp:217:5
	#16 0x2796a81 in WasmHandleTrap() mozilla-central/js/src/wasm/WasmBuiltins.cpp:249
	#12 0x3405ceca727c  (<unknown module>)
	#13 0x6070000072bf  (<unknown module>)
	
	AddressSanitizer can not provide additional info.
	SUMMARY: AddressSanitizer: SEGV (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds-no-engine_spidermonkey_6aad6e0d14f81d36f48dbd887aa56b38e87859f7/revisions/js+0x2759939)
	==1849==ABORTING
Flags: needinfo?(bbouvier)
Regression from bug 1458029. There's a module name subsection but no function names subsection, so we erroneously do not preserve bytecode.
Assignee: nobody → bbouvier
Component: JavaScript Engine → Javascript: Web Assembly
Depends on: 1458029
Flags: needinfo?(bbouvier)
Attached patch fix.patchSplinter Review
Attachment #8985504 - Flags: review?(luke)
Status: NEW → ASSIGNED
Attachment #8985504 - Flags: review?(luke) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7cd314fe93e3
Preserve bytecode if there's a module name subsection. r=luke
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/7cd314fe93e3
Status: ASSIGNED → RESOLVED
Closed: Last year
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.