Closed Bug 1497612 Opened 6 years ago Closed 6 years ago

Assertion failure: cursor == begin + size, at js/src/wasm/WasmModule.cpp:226 with OOM

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed

People

(Reporter: decoder, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

fix-oom
2.20 KB, patch
lth
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision a9616aaeff87 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

oomTest(new Function(`
  const {Module, Instance, compileStreaming} = WebAssembly;
  function testCached(code, imports, test) {
    code = wasmTextToBinary(code);
    let cache = streamCacheEntry(code);
    compileStreaming(cache)
    drainJobQueue();
  }
  testCached(
    \`(module
       (func (export "run") (result i32)
         (i32.const 42)))\`);
`));


Backtrace:

received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff5905700 (LWP 20622)]
0x000055555622857b in js::wasm::Module::serialize (this=this@entry=0x7ffff49e0de0, linkData=..., begin=<optimized out>, size=1915) at js/src/wasm/WasmModule.cpp:226
#0  0x000055555622857b in js::wasm::Module::serialize (this=this@entry=0x7ffff49e0de0, linkData=..., begin=<optimized out>, size=1915) at js/src/wasm/WasmModule.cpp:226
#1  0x000055555622b62a in js::wasm::Module::serialize (this=0x7ffff49e0de0, linkData=..., listener=...) at js/src/wasm/WasmModule.cpp:321
#2  0x00005555561f8b22 in js::wasm::ModuleGenerator::finishModule (this=this@entry=0x7ffff5902c90, bytecode=..., maybeTier2Listener=0x7ffff5fc1a20, maybeLinkDataOut=maybeLinkDataOut@entry=0x0) at js/src/wasm/WasmGenerator.cpp:1148
#3  0x0000555556186675 in js::wasm::CompileStreaming (args=..., envBytes=..., codeBytes=..., codeBytesEnd=..., exclusiveStreamEnd=..., cancelled=..., error=<optimized out>, warnings=<optimized out>) at js/src/wasm/WasmCompile.cpp:779
#4  0x000055555624087f in CompileStreamTask::execute (this=0x7ffff4916800) at js/src/wasm/WasmJS.cpp:3225
#5  0x0000555555f72df4 in js::HelperThread::handlePromiseHelperTaskWorkload (this=0x7ffff5f06d80, locked=...) at js/src/vm/HelperThreads.cpp:2157
#6  0x0000555555f5e9ac in js::HelperThread::threadLoop (this=this@entry=0x7ffff5f06d80) at js/src/vm/HelperThreads.cpp:2642
#7  0x0000555555f5ebb0 in js::HelperThread::ThreadMain (arg=0x7ffff5f06d80) at js/src/vm/HelperThreads.cpp:2085
#8  0x0000555555f835d2 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul> (this=0x7ffff5f1b080) at js/src/threading/Thread.h:243
#9  js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0x7ffff5f1b080) at js/src/threading/Thread.h:236
#10 0x00007ffff7bc16ba in start_thread (arg=0x7ffff5905700) at pthread_create.c:333
#11 0x00007ffff6c2c41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff49e0df0	140737297386992
rcx	0x7ffff6c1c2dd	140737333281501
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7ffff5902670	140737313252976
rsp	0x7ffff59025e0	140737313252832
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff5905700	140737313265408
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x7ffff5f91f7b	140737320132475
r13	0xd	13
r14	0x7ffff5fc1a20	140737320327712
r15	0x7ffff49e0de0	140737297386976
rip	0x55555622857b <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+971>
=> 0x55555622857b <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+971>:	movl   $0x0,0x0
   0x555556228586 <js::wasm::Module::serialize(js::wasm::LinkData const&, unsigned char*, unsigned long) const+982>:	ud2


Marking s-s because this is a range/length-like assertion.
Taking.  But not s-s since this caching path is currently shell-only and not (yet) content-exposed.
Assignee: nobody → luke
Attached patch fix-oomSplinter Review 
Oops, forgot to check oom value.  Two of these callers are in an infallible environment and we're also talking about a <20 byte value here, so it seems simpler to just use an infallible allocation.

This feature isn't web-exposed, just tested by the shell, so this is not s-s.
Attachment #9015759 - Flags: review?(lhansen)
Attachment #9015759 - Flags: review?(lhansen) → review+
https://hg.mozilla.org/mozilla-central/rev/43a51bc9a77d
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: