Closed Bug 1742584 Opened 2 years ago Closed 2 years ago

Assertion failure: js::gc::IsCellPointerValid(&obj), a js/Value.h:490 with wasmGlobalFromArrayBuffer

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- verified

People

(Reporter: decoder, Assigned: lth)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(3 files)

Detailed Crash Information
1.38 KB, text/plain
Details
Testcase
121 bytes, text/plain
Details
Bug 1742584 - Add null checks. r?yury
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20211123-71332992f78f (debug build, run with --fuzzing-safe --ion-offthread-compile=off --blinterp-warmup-threshold=1):

function a(b) {
  c = new Uint16Array(b);
  wasmGlobalFromArrayBuffer('v128', c.buffer);
}
oomTest(() => a([,,,,,,, 0]));

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000555556ad3238 in js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject(JSObject&) ()
#1  0x00005555571a5031 in WasmGlobalFromArrayBuffer(JSContext*, unsigned int, JS::Value*) ()
#2  0x00003e70a2331fcf in ?? ()
[...]
#5  0x0000000000000000 in ?? ()
rax	0x555555712b90	93824994061200
rbx	0x7fffffffb400	140737488335872
rcx	0x5555581a5020	93825038700576
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffb3e0	140737488335840
rsp	0x7fffffffb3c0	140737488335808
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb440	140737488335936
r13	0xaaaaaaaaaaaaaaaa	-6148914691236517206
r14	0x7fffffffb510	140737488336144
r15	0x7fffffffb420	140737488335904
rip	0x555556ad3238 <js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject(JSObject&)+200>
=> 0x555556ad3238 <_ZN2js27MutableWrappedPtrOperationsIN2JS5ValueENS1_13MutableHandleIS2_EEE9setObjectER8JSObject+200>:	movl   $0x1ea,0x0
   0x555556ad3243 <_ZN2js27MutableWrappedPtrOperationsIN2JS5ValueENS1_13MutableHandleIS2_EEE9setObjectER8JSObject+211>:	callq  0x555556b5a76b <abort>

This might be a problem with the wasmGlobalFromArrayBuffer function, but marking s-s until investigated.

Attached file Testcase 

    
    

    
  
Devious!  Giving this to Yury, as I'm busy right now, though it's likely my fault.


Assignee: nobody → ydelendik
Severity: -- → S4
Priority: -- → P1

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20211123094249-71332992f78f.

The bug appears to have been introduced in the following build range:




Start: b9efd1c99ba7f8af4965f64589014c1dba34c636 (20210511060843)

End: ab1fc35f9ba6b6a59a3ede09b810150d43eeb55b (20210511062430)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b9efd1c99ba7f8af4965f64589014c1dba34c636&tochange=ab1fc35f9ba6b6a59a3ede09b810150d43eeb55b




Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

    
    

    
  
Marking the regression based on comment 4.


Regressed by: 1710075

    
    

    
  
Set release status flags based on info from the regressing bug 1710075



          status-firefox94:
          --- → affected

          status-firefox95:
          --- → affected

          status-firefox-esr91:
          --- → affected

    
    

    
  
Missing null checks in wasmGlobalFromArrayBuffer, not s-s.


Assignee: ydelendik → lhansen
Priority: P1 → P2

    
    

    
  
Not a regression, bug has been in code since day 1.


Keywords: regression
No longer regressed by: 1710075
Group: javascript-core-security

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/bd6702a2a4b1


Status: NEW → RESOLVED
Closed: 2 years ago

          status-firefox96:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20211130042247-58d2fbdb6b4a.

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Status: RESOLVED → VERIFIED

          status-firefox96:
          fixedverified
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: