Crash [@ FuncTypeToString] with use-after-free or Assertion failure: aIndex < mLength, at mozilla/Vector.h:487
Categories
(Core :: JavaScript: WebAssembly, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox79 | --- | fixed |
People
(Reporter: decoder, Assigned: lth)
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
581 bytes,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 20200614-c68fe15a81fc (debug build, run with --fuzzing-safe --ion-offthread-compile=off --disable-oom-functions test.js):
evaluate(WebAssembly.Module.exports(new WebAssembly.Module(wasmTextToBinary(\
(module
(func (;0;))
(func (;1;))
(func (;2;))
(func (;3;) (result i32)
i32.const 42)
(export "memo" (func 3))
(export "main" (func 3)))
`)));
`)().next();
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 FuncTypeToString () at /builds/worker/checkouts/gecko/js/src/wasm/WasmJS.cpp:1029
#1 0x00005566c4839c4a in js::WasmModuleObject::exports () at /builds/worker/checkouts/gecko/js/src/wasm/WasmJS.cpp:1197
#2 0x00005566c3c4ee92 in CallJSNative () at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486
#3 js::InternalCallOrConstruct () at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:578
#4 0x00005566c3c5019d in InternalCall () at /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:641
[...]
#28 main () at /builds/worker/checkouts/gecko/js/src/shell/js.cpp:11638
rax 0xe5e5e5e5e5e5e5e5 -1880844493789993499
rbx 0x7f8c15423000 140239628808192
rcx 0x37c85a83e500 61333651580160
rdx 0xfffb37c85a827e40 -1346041232064960
rsi 0x28 40
rdi 0x7ffdc1e91270 140727856730736
rbp 0x7ffdc1e91320 140727856730912
rsp 0x7ffdc1e91250 140727856730704
r8 0x5566c729b8c8 93899916425416
r9 0x5566c729b8c8 93899916425416
r10 0x1b 27
r11 0x50 80
r12 0xe5e5e5e5e5e5e5e5 -1880844493789993499
r13 0x7ffdc1e91260 140727856730720
r14 0x7d7d7d7d7d7d7d79 9042521604759584121
r15 0x5566c5084f38 93899880681272
rip 0x5566c4830653 <FuncTypeToString()+275>
=> 0x5566c4830653 <FuncTypeToString()+275>: mov (%r12),%ebx
0x5566c4830657 <FuncTypeToString()+279>: add $0x4,%r12
I saw this crash today and reproduced it on the given revision (which is from last Sunday, because it popped up in a coverage run). On this revision, I can reproduce it in a debug build, but on newer revisions I have no luck. I don't remember seeing this assertion last week anywhere so I want to be sure that we really fixed this and didn't mask it somehow. A fix bisection would also be good to be sure. Marking s-s for now due to use-after-free / out-of-bounds.
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 2•4 years ago
|
||
I'll take a look. That's the test case for last week's fuzzbug, and the crash site suggests this would have been fixed by that patch, but worth checking.
|
|
Assignee | |
Comment 3•4 years ago
|
||
I can repro the assert but that's just bug 1645610, which has been fixed. A use-after-free would be more interesting but needs STR, there's nothing obvious in the code that would lead to such a problem even if the assert were to be disabled and would allow the OOB access. Please reopen if STR can be found to repro use-after-free.
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis: Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
|
||
Updated•11 months ago
|
Description
•