Closed
Bug 1472633
Opened 7 years ago
Closed 7 years ago
Assertion failure: refTypeIndex <= MaxTypes, at js/src/wasm/WasmTypes.h:197
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | fixed |
People
(Reporter: decoder, Assigned: bbouvier)
References
Details
(4 keywords)
Attachments
(2 files)
62 bytes,
application/octet-stream
|
Details | |
2.68 KB,
patch
|
jseward
:
review+
|
Details | Diff | Splinter Review |
The attached binary WebAssembly testcase crashes on mozilla-inbound revision c65f021935f1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell:
var data = os.file.readFile(file, 'binary');
new WebAssembly.Instance(new WebAssembly.Module(data.buffer));
Backtrace:
==13043==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000263b131 bp 0x7ffd0c951770 sp 0x7ffd0c9516a0 T0)
==13043==The signal is caused by a WRITE memory access.
==13043==Hint: address points to the zero page.
#0 0x263b130 in js::wasm::PackTypeCode(js::wasm::TypeCode, unsigned int) js/src/wasm/WasmTypes.h:196:5
#1 0x263b130 in js::wasm::ExprType::ExprType(js::wasm::ExprType::Code, unsigned int) js/src/wasm/WasmTypes.h:304
#2 0x263b130 in js::wasm::OpIter<js::wasm::BaseCompiler::BaseCompilePolicy>::readBlockType(js::wasm::ExprType*) js/src/wasm/WasmOpIter.h:1031
#3 0x255b0b8 in js::wasm::OpIter<js::wasm::BaseCompiler::BaseCompilePolicy>::readBlock() js/src/wasm/WasmOpIter.h:1116:10
#4 0x255b0b8 in js::wasm::BaseCompiler::emitBlock() js/src/wasm/WasmBaselineCompile.cpp:7319
#5 0x258501f in js::wasm::BaseCompiler::emitBody() js/src/wasm/WasmBaselineCompile.cpp:9378:13
#6 0x2593d86 in js::wasm::BaseCompiler::emitFunction() js/src/wasm/WasmBaselineCompile.cpp:10102:10
#7 0x2593d86 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmBaselineCompile.cpp:10255
#8 0x268d177 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:629:14
#9 0x268de69 in js::wasm::ModuleGenerator::launchBatchCompile() js/src/wasm/WasmGenerator.cpp:698:14
#10 0x268f007 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:774:26
#11 0x25be72b in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:84:15
#12 0x25bce68 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*) js/src/wasm/WasmCompile.cpp:444:10
#13 0x26f5ce8 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/wasm/WasmJS.cpp:346:27
#14 0x5d9040 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:6754:14
[...]
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/wasm/WasmTypes.h:196:5 in js::wasm::PackTypeCode(js::wasm::TypeCode, unsigned int)
==13043==ABORTING
Marking s-s because this is a range assertion.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Updated•7 years ago
|
Component: JavaScript Engine → Javascript: Web Assembly
Assignee | ||
Comment 2•7 years ago
|
||
Same kind of issue as bug in a different place (when setting an inline type for a block).
Assignee | ||
Comment 3•7 years ago
|
||
as bug 1472634*
Comment 5•7 years ago
|
||
Comment on attachment 8989963 [details] [diff] [review]
fix.patch
Review of attachment 8989963 [details] [diff] [review]:
-----------------------------------------------------------------
LGTM.
Attachment #8989963 -
Flags: review?(jseward) → review+
Assignee | ||
Comment 6•7 years ago
|
||
Updated•7 years ago
|
![]() |
||
Comment 7•7 years ago
|
||
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Assignee | ||
Comment 8•7 years ago
|
||
Opening up, since this is nightly-only and protected behind --wasm-gc.
Group: core-security-release
Updated•7 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•