Closed
Bug 1473956
Opened 7 years ago
Closed 7 years ago
Assertion failure: isDouble(), at dist/include/js/Value.h:872 with wasm and OOM
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
VERIFIED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | verified |
People
(Reporter: decoder, Assigned: bbouvier)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [jsbugmon:update][post-critsmash-triage])
Attachments
(1 file, 1 obsolete file)
|
2.56 KB,
patch
|
bbouvier
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision a0e47ebc4c06 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):
var lfLogBuffer = `
let mt = "";
let glob = new WebAssembly.Global({value:'i32', mutable:true}, 88);
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
try {
oomTest(function() {
let m = parseModule(lfVarx);
m.declarationInstantiation();
m.evaluation();
});
} catch (lfVare) {}
}
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x089d37a6 in JS::Value::toPrivate (this=<optimized out>) at dist/include/js/Value.h:872
#1 js::WasmGlobalObject::cell (this=0xf59761f0) at js/src/wasm/WasmJS.cpp:2460
#2 js::WasmGlobalObject::finalize (obj=0xf59761f0) at js/src/wasm/WasmJS.cpp:2180
#3 0x08b0ad9d in js::Class::doFinalize (this=<optimized out>, obj=0xf59761f0, fop=0xffffc500) at dist/include/js/Class.h:893
#4 JSObject::finalize (this=0xf59761f0, fop=0xffffc500) at js/src/vm/JSObject-inl.h:108
#5 0x08b125d5 in js::gc::Arena::finalize<JSObject> (this=0xf5976000, fop=0xffffc500, thingKind=js::gc::AllocKind::OBJECT4_BACKGROUND, thingSize=48) at js/src/gc/GC.cpp:602
#6 0x08af415f in FinalizeTypedArenas<JSObject> (fop=fop@entry=0xffffc500, src=src@entry=0xffffbc2c, dest=..., thingKind=js::gc::AllocKind::OBJECT4_BACKGROUND, budget=..., keepArenas=js::gc::ArenaLists::KEEP_ARENAS) at js/src/gc/GC.cpp:660
#7 0x08af46f7 in FinalizeArenas (keepArenas=js::gc::ArenaLists::KEEP_ARENAS, budget=..., thingKind=js::gc::AllocKind::OBJECT4_BACKGROUND, dest=..., src=0xffffbc2c, fop=0xffffc500) at js/src/gc/GC.cpp:694
#8 js::gc::ArenaLists::backgroundFinalize (fop=0xffffc500, listHead=<optimized out>, empty=0xffffc4cc) at js/src/gc/GC.cpp:3201
#9 0x08af6fc3 in js::gc::GCRuntime::sweepBackgroundThings (this=this@entry=0xf6e0c430, zones=..., freeBlocks=...) at js/src/gc/GC.cpp:3576
#10 0x08af7534 in js::gc::GCRuntime::sweepBackgroundThings (freeBlocks=..., zones=..., this=0xf6e0c430) at js/src/gc/GC.cpp:3723
#11 js::gc::BackgroundSweepTask::run (this=0xf6e0d898) at js/src/gc/GC.cpp:3723
#12 0x0876de7f in js::GCParallelTask::runTask (this=0xf6e0d898) at js/src/gc/GCParallelTask.h:129
#13 js::GCParallelTask::runFromMainThread (this=0xf6e0d898, rt=0xf6e0c000) at js/src/vm/HelperThreads.cpp:1564
#14 0x08acbb3d in js::gc::BackgroundSweepTask::runFromMainThread (this=0xf6e0d898, rt=0xf6e0c000) at js/src/gc/GC.cpp:3699
#15 0x08aec4c5 in js::gc::GCRuntime::endSweepingSweepGroup (this=0xf6e0c430, fop=0xffffc800, budget=...) at js/src/gc/GC.cpp:5841
#16 0x08b29ca5 in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0xf6e02280, args#0=0xf6e0c430, args#1=0xffffc800, args#2=...) at js/src/gc/GC.cpp:6387
#17 0x08b2a28e in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run (this=0xf6e05bc0, args#0=0xf6e0c430, args#1=0xffffc800, args#2=...) at js/src/gc/GC.cpp:6448
#18 0x08ad1b76 in js::gc::GCRuntime::performSweepActions (this=0xf6e0c430, budget=...) at js/src/gc/GC.cpp:6616
#19 0x08afba56 in js::gc::GCRuntime::incrementalCollectSlice (this=0xf6e0c430, budget=..., reason=JS::gcreason::DESTROY_RUNTIME, session=...) at js/src/gc/GC.cpp:7203
#20 0x08afce80 in js::gc::GCRuntime::gcCycle (this=<optimized out>, nonincrementalByAPI=<optimized out>, budget=..., reason=<optimized out>) at js/src/gc/GC.cpp:7533
#21 0x08afd56d in js::gc::GCRuntime::collect (this=0xf6e0c430, nonincrementalByAPI=true, budget=..., reason=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7707
#22 0x08afd924 in js::gc::GCRuntime::gc (this=0xf6e0c430, gckind=GC_NORMAL, reason=JS::gcreason::DESTROY_RUNTIME) at js/src/gc/GC.cpp:7782
#23 0x08852c66 in JSRuntime::destroyRuntime (this=0xf6e0c000) at js/src/vm/Runtime.cpp:304
#24 0x087a5187 in js::DestroyContext (cx=0xf6e1e800) at js/src/vm/JSContext.cpp:202
#25 0x08634dc9 in JS_DestroyContext (cx=0xf6e1e800) at js/src/jsapi.cpp:497
#26 0x08082981 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9481
eax 0x0 0
ebx 0x8e70ff4 149360628
ecx 0xf7d9f864 -136710044
edx 0x0 0
esi 0xf59761f0 -174628368
edi 0xf59761f0 -174628368
ebp 0xffffba98 4294949528
esp 0xffffba90 4294949520
eip 0x89d37a6 <js::WasmGlobalObject::finalize(js::FreeOp*, JSObject*)+86>
=> 0x89d37a6 <js::WasmGlobalObject::finalize(js::FreeOp*, JSObject*)+86>: movl $0x0,0x0
0x89d37b0 <js::WasmGlobalObject::finalize(js::FreeOp*, JSObject*)+96>: ud2
Marking s-s because the assertion can indicate security problems.
|
||
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/50d6babb2ec7
user: Benjamin Bouvier
date: Fri Jun 29 16:43:20 2018 +0200
summary: Bug 1450261: Implement Val, a rooted LitVal; r=luke, r=jonco
This iteration took 287.759 seconds to run.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Updated•7 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
Assignee | |
Updated•7 years ago
|
Component: JavaScript Engine → Javascript: Web Assembly
Flags: needinfo?(bbouvier)
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(bbouvier)
|
|
Assignee | |
Comment 2•7 years ago
|
||
Just a consequence of bug 1450261, which moved the initialization of the cell after the object has been created. In this case, two mistakes:
- the js_new call should have used ReportOOM.
- the owning Global object should know check whether its Cell's slot has been defined or not (since the Cell allocation can fail, the global can end up being partly initialized).
I think the only issue is that the js_delete call may be called with a reference to initialized memory. Don't know how exploitable this is.
Flags: needinfo?(bbouvier)
|
|
Assignee | |
Comment 3•7 years ago
|
||
See previous comment for explanation of the fix and what's happening here.
|
||
Updated•7 years ago
|
Attachment #8991924 -
Flags: review?(jseward) → review+
|
|
Assignee | |
Comment 4•7 years ago
|
||
Regression from changeset https://hg.mozilla.org/mozilla-central/rev/50d6babb2ec7, which is on Nightly only and not affecting other branches, so I will land without sec approval.
The OOM reporting could just ride the trains, since I think it can't be exploited.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attachment #8991924 -
Attachment is obsolete: true
Attachment #8992351 -
Flags: review+
|
|
Assignee | |
Comment 6•7 years ago
|
||
|
||
Comment 7•7 years ago
|
||
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [jsbugmon:update] → [jsbugmon:update][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 8•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•