Closed Bug 1736544 Opened 1 month ago Closed 1 month ago

Assertion failure: isSome(), at dist/include/mozilla/Maybe.h:782 with WebAssembly


(Core :: Javascript: WebAssembly, defect, P2)




95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox93 --- unaffected
firefox94 --- unaffected
firefox95 --- verified


(Reporter: decoder, Assigned: lth)




(4 keywords, Whiteboard: [jsbugmon:update,bisect][bugmon:bisected,confirmed])


(3 files)

The attached testcase crashes on mozilla-central revision 20211019-1e37fc4a7f53 (build with debug, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off test.js).


    received signal SIGSEGV, Segmentation fault.
    #0  0x0000555557d1a592 in EmitWait((anonymous namespace)::FunctionCompiler&, js::wasm::PackedType<js::wasm::ValTypeTraits>, unsigned int) ()
    #1  0x0000555557cd7917 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) ()
    #2  0x0000555557ccd2d8 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
    #3  0x0000555557c9ab33 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
    #4  0x0000555557c9be3a in js::wasm::ModuleGenerator::finishFuncDefs() ()
    #5  0x0000555557c78640 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) ()
    #6  0x0000555557c78268 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) ()
    #7  0x0000555557ce6eb2 in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) ()
    #8  0x0000555556c2aea1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
    #9  0x0000555556c3a265 in CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ()

Marking s-s because the assertion guards against use of uninitialized memory.

(missing testcase)

Attached file Testcase for comment 5

A general problem in WasmIonCompile.cpp where a predicate is not guarded properly. I'll assess the impact of this after fixing it but in general it's probably pretty benign.

Assignee: nobody → lhansen
Priority: -- → P2

This is benign and can be opened (see comment on patch). In a release build, there won't be an assert but the opcode will be rejected subsequently and the program will not be run. Even though there may be a wild pointer here, no information will leak and no memory overwrite will occur.

Group: javascript-core-security

The isMem32 predicate assumes that there's a memory present (and this
is the right thing), but sometimes we must call isMem32 before we've
checked for the presence of a memory, this is a consequence of the
structure of the compiler. Introduce a new predicate for these
situations and use it as appropriate.

Only Ion is affected, baseline already has the necessary guard in all
the required situations.

The missing test was an oversight - I introduced tests like these for
the memory instructions previously, but I forgot wait and notify.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20211019095357-4185629111d3.
The bug appears to have been introduced in the following build range:

Start: e2b5e618de42b6de694ca95e75e9bd442c2ff9ff (20211018093031)
End: 80388e7f335c78b1926f0e5eb258cb881d1f7a1d (20211018100215)

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][bugmon:bisected,confirmed]
Pushed by
Guard isMem32 when we don't yet know if there's a memory. r=jseward

:lth, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lhansen)
Flags: needinfo?(lhansen)
Regressed by: 1727084
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20211021054209-54672b7d3f45.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.