Closed Bug 1602675 Opened 5 years ago Closed 5 years ago

SUMMARY: AddressSanitizer: SEGV /data/gecko-new/gecko-dev/js/src/ASAN2/dist/include/mozilla/UniquePtr.h:444:20 in mozilla::UniquePtr<char [], JS::FreePolicy>::reset(decltype(nullptr))

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Version:
73 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: 423495062, Assigned: lth)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

crash3.js
273 bytes, text/javascript
Details
Bug 1602675 - Properly check for TA view in heap access. r=bbouvier
47 bytes, text/x-phabricator-request
Details | Review
Attached file crash3.js

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36

Steps to reproduce:

$ ./gecko-dev/js/src/ASAN/js/src/js --fuzzing-safe ./crash3.js

crash3.js:
function f(stdlib, foreign, buffer) {
"use asm";
var i32 =stdlib.Int32Array
function g(i) {
i=i|0;
var j=0;
for (; (j>>>0) < 100000; j=(j+1)|0)
i32[i>>2] = j;
}
return g
}
var g = f(this, null, new ArrayBuffer(1<<16));
timeout(.1, function cb() { return true });
g(1<<16);

Actual results:

Backtrace:

Assertion failure: error_, at /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmValidate.cpp:74
AddressSanitizer:DEADLYSIGNAL

==6338==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555559990092 bp 0x7ffffffee1b0 sp 0x7ffffffee0e0 T0)
==6338==The signal is caused by a WRITE memory access.
==6338==Hint: address points to the zero page.
#0 0x555559990091 in mozilla::UniquePtr<char [], JS::FreePolicy>::reset(decltype(nullptr)) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/ASAN/dist/include/mozilla/UniquePtr.h:444:20
#1 0x555559990091 in mozilla::UniquePtr<char [], JS::FreePolicy>::~UniquePtr() /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/ASAN/dist/include/mozilla/UniquePtr.h:407
#2 0x555559990091 in js::wasm::Decoder::fail(unsigned long, char const*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmValidate.cpp:82
#3 0x5555597ed1dd in js::wasm::OpIter<(anonymous namespace)::IonCompilePolicy>::fail(char const*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmOpIter.h:910:13
#4 0x5555597ed1dd in js::wasm::OpIter<(anonymous namespace)::IonCompilePolicy>::readLinearMemoryAddress(unsigned int, js::wasm::LinearMemoryAddress<js::jit::MDefinition*>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmOpIter.h:1628
#5 0x5555597f1610 in js::wasm::OpIter<(anonymous namespace)::IonCompilePolicy>::readTeeStore(js::wasm::ValType, unsigned int, js::wasm::LinearMemoryAddress<js::jit::MDefinition>, js::jit::MDefinition**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmOpIter.h:1707:8
#6 0x5555597dc96e in EmitTeeStore((anonymous namespace)::FunctionCompiler&, js::wasm::ValType, js::Scalar::Type) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmIonCompile.cpp:2526:17
#7 0x555559796503 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmIonCompile.cpp
#8 0x555559778471 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode, mozilla::UniquePtr<char [], JS::FreePolicy>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmIonCompile.cpp:4525:12
#9 0x5555597457ca in ExecuteCompileTask(js::wasm::CompileTask, mozilla::UniquePtr<char [], JS::FreePolicy>) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmGenerator.cpp:737:12
#10 0x55555974768b in js::wasm::ModuleGenerator::locallyCompileCurrentTask() /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmGenerator.cpp:776:8
#11 0x55555974768b in js::wasm::ModuleGenerator::finishFuncDefs() /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/WasmGenerator.cpp:914
#12 0x5555596d43da in ModuleValidator<mozilla::Utf8Unit>::finish() /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/AsmJS.cpp:2156:13
#13 0x5555595d178a in RefPtr<js::wasm::Module const> CheckModule<mozilla::Utf8Unit>(JSContext, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, unsigned int*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/AsmJS.cpp:6421:27
#14 0x555559490430 in bool DoCompileAsmJS<mozilla::Utf8Unit>(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/AsmJS.cpp:7099:25
#15 0x555559490430 in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/wasm/AsmJS.cpp:7146
#16 0x55555801a5dc in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3507:8
#17 0x55555801a5dc in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3520
#18 0x55555801a5dc in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::maybeParseDirective(js::frontend::ListNode*, js::frontend::ParseNode*, bool*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3599
#19 0x555557feebf6 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList(js::frontend::YieldHandling) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3676:12
#20 0x55555800ea23 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::FunctionBodyType) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:2013:12
#21 0x55555800aa3f in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionNode**, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3219:12
#22 0x5555580097af in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunctionForFunctionBox(js::frontend::FunctionNode*, js::frontend::ParseContext*, js::frontend::FunctionBox*, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Directives*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:2967:8
#23 0x5555580612a8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::innerFunction(js::frontend::FunctionNode*, js::frontend::ParseContext*, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3000:32
#24 0x555557ff44c3 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction(js::frontend::FunctionNode**, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:2907:32
#25 0x555558017b80 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::trySyntaxParseInnerFunction(js::frontend::FunctionNode**, JS::Handle<js::frontend::FunctionCreationData>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:2945:27
#26 0x555558017b80 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionDefinition(js::frontend::FunctionNode*, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:2799
#27 0x555557ffa860 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionStmt(unsigned int, js::frontend::YieldHandling, js::frontend::DefaultHandling, js::FunctionAsyncKind) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3391:10
#28 0x555557ff5dba in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementListItem(js::frontend::YieldHandling, bool) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:8176:14
#29 0x555557feeadc in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList(js::frontend::YieldHandling) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:3654:17
#30 0x555558162406 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::globalBody(js::frontend::GlobalSharedContext*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/Parser.cpp:1502:20
#31 0x555558245d14 in js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::BytecodeCompiler&, JS::Handle<JSObject*>, js::frontend::SharedContext*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/BytecodeCompiler.cpp:521:22
#32 0x55555818464a in JSScript* CreateGlobalScript<mozilla::Utf8Unit>(js::frontend::GlobalScriptInfo&, JS::SourceText<mozilla::Utf8Unit>&, js::ScriptSourceObject**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/BytecodeCompiler.cpp:212:16
#33 0x55555818464a in js::frontend::CompileGlobalScript(js::frontend::GlobalScriptInfo&, JS::SourceText<mozilla::Utf8Unit>&, js::ScriptSourceObject**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/frontend/BytecodeCompiler.cpp:230
#34 0x555556d1f148 in JSScript* CompileSourceBuffer<mozilla::Utf8Unit>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/vm/CompilationAndEvaluation.cpp:73:10
#35 0x555556d2006a in JS::CompileUtf8FileDontInflate(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/vm/CompilationAndEvaluation.cpp:145:10
#36 0x55555653e7ce in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/shell/js.cpp:882:16
#37 0x55555653c4b2 in Process(JSContext*, char const*, bool, FileKind) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/shell/js.cpp:1512:14
#38 0x5555564ab29c in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/shell/js.cpp:10149:10
#39 0x5555564ab29c in Shell(JSContext*, js::cli::OptionParser*, char**) /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/shell/js.cpp:10753
#40 0x55555649a186 in main /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/shell/js.cpp:11415:12
#41 0x7ffff6827b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#42 0x5555563881f9 in _start (/home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/ASAN/dist/bin/js+0xe341f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/nesa320/lv_11721077/gecko-dev_11_26/gecko-dev-73/js/src/ASAN/dist/include/mozilla/UniquePtr.h:444:20 in mozilla::UniquePtr<char [], JS::FreePolicy>::reset(decltype(nullptr))
==6338==ABORTING

Component: JavaScript Engine → Javascript: WebAssembly
Flags: needinfo?(lhansen)

Thanks! I'm mostly OOO for a couple of days but can try to look on Thursday.

CheckArrayAccess would call isAnyArrayView which looks plausible but
is not, because that includes TA constructors, and those are not
valid base expressions for array access. Test for ArrayView instead.

Assignee: nobody → lhansen
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(lhansen)

The crash is just an NPE, and comes from the wasm verifier's error buffer not being instantiated when we verify code originating from asm.js, because that code should be without errors, something it was not in this case. No security worries, I think.

Attachment #9115399 - Attachment description: Bug 1602675 - Properly check for TA view in heap access. r?bbouvier → Bug 1602675 - Properly check for TA view in heap access. r=bbouvier
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/df2530eefeda Properly check for TA view in heap access. r=bbouvier
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/df2530eefeda

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: