Closed Bug 1472633 Opened 2 years ago Closed 2 years ago

Assertion failure: refTypeIndex <= MaxTypes, at js/src/wasm/WasmTypes.h:197

Categories

(Core :: Javascript: WebAssembly, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: decoder, Assigned: bbouvier)

References

Details

(4 keywords)

Attachments

(2 files)

The attached binary WebAssembly testcase crashes on mozilla-inbound revision c65f021935f1 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --without-intl-api --enable-debug). To reproduce, you can run the following code in the JS shell:

var data = os.file.readFile(file, 'binary');
new WebAssembly.Instance(new WebAssembly.Module(data.buffer));



Backtrace:

==13043==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000263b131 bp 0x7ffd0c951770 sp 0x7ffd0c9516a0 T0)
==13043==The signal is caused by a WRITE memory access.
==13043==Hint: address points to the zero page.
    #0 0x263b130 in js::wasm::PackTypeCode(js::wasm::TypeCode, unsigned int) js/src/wasm/WasmTypes.h:196:5
    #1 0x263b130 in js::wasm::ExprType::ExprType(js::wasm::ExprType::Code, unsigned int) js/src/wasm/WasmTypes.h:304
    #2 0x263b130 in js::wasm::OpIter<js::wasm::BaseCompiler::BaseCompilePolicy>::readBlockType(js::wasm::ExprType*) js/src/wasm/WasmOpIter.h:1031
    #3 0x255b0b8 in js::wasm::OpIter<js::wasm::BaseCompiler::BaseCompilePolicy>::readBlock() js/src/wasm/WasmOpIter.h:1116:10
    #4 0x255b0b8 in js::wasm::BaseCompiler::emitBlock() js/src/wasm/WasmBaselineCompile.cpp:7319
    #5 0x258501f in js::wasm::BaseCompiler::emitBody() js/src/wasm/WasmBaselineCompile.cpp:9378:13
    #6 0x2593d86 in js::wasm::BaseCompiler::emitFunction() js/src/wasm/WasmBaselineCompile.cpp:10102:10
    #7 0x2593d86 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmBaselineCompile.cpp:10255
    #8 0x268d177 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) js/src/wasm/WasmGenerator.cpp:629:14
    #9 0x268de69 in js::wasm::ModuleGenerator::launchBatchCompile() js/src/wasm/WasmGenerator.cpp:698:14
    #10 0x268f007 in js::wasm::ModuleGenerator::finishFuncDefs() js/src/wasm/WasmGenerator.cpp:774:26
    #11 0x25be72b in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) js/src/wasm/WasmCompile.cpp:84:15
    #12 0x25bce68 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*) js/src/wasm/WasmCompile.cpp:444:10
    #13 0x26f5ce8 in js::wasm::Eval(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<JSObject*>, JS::MutableHandle<js::WasmInstanceObject*>) js/src/wasm/WasmJS.cpp:346:27
    #14 0x5d9040 in WasmLoop(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:6754:14
[...]

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/wasm/WasmTypes.h:196:5 in js::wasm::PackTypeCode(js::wasm::TypeCode, unsigned int)
==13043==ABORTING


Marking s-s because this is a range assertion.
Attached file Testcase
Component: JavaScript Engine → Javascript: Web Assembly
Attached patch fix.patchSplinter Review
Same kind of issue as bug in a different place (when setting an inline type for a block).
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Attachment #8989963 - Flags: review?(jseward)
Nightly-only, needs --wasm-gc too.
Depends on: 1459900
Comment on attachment 8989963 [details] [diff] [review]
fix.patch

Review of attachment 8989963 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8989963 - Flags: review?(jseward) → review+
Blocks: 1459900
No longer depends on: 1459900
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/9b9ffa4c105d
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Opening up, since this is nightly-only and protected behind --wasm-gc.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.