1847524 - AddressSanitizer: heap-buffer-overflow [@ kind] with READ of size 4 or Assertion failure: !empty(), at mozilla/Vector.h:597

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect, P2)

Description

[Christian Holler (:decoder)]

The attached testcase crashes on mozilla-central revision 20230807-06273ebf279a (asan-opt build, run with --no-threads --wasm-compiler=baseline --wasm-gc test.js).

Backtrace:

==18042==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210000528e8 at pc 0x5609c8459591 bp 0x7ffd9d4f9600 sp 0x7ffd9d4f95f8
READ of size 4 at 0x6210000528e8 thread T0
    #0 0x5609c8459590 in kind /js/src/wasm/WasmBCStk.h:169:30
    #1 0x5609c8459590 in js::wasm::BaseCompiler::popI32() /js/src/wasm/WasmBCStkMgmt-inl.h:744:9
    #2 0x5609c84eb741 in js::wasm::BaseCompiler::emitI31New() /js/src/wasm/WasmBaselineCompile.cpp:7476:21
    #3 0x5609c84fc771 in js::wasm::BaseCompiler::emitBody() /js/src/wasm/WasmBaselineCompile.cpp:9989:13
    #4 0x5609c8526848 in emitFunction /js/src/wasm/WasmBaselineCompile.cpp:11140:8
    #5 0x5609c8526848 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:11319:12
    #6 0x5609c8609bab in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:721:12
    #7 0x5609c860ac84 in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:770:8
    #8 0x5609c860ac84 in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:901:24
    #9 0x5609c85d667f in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp:707:13
    #10 0x5609c85d5b77 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:729:8
    #11 0x5609c867899e in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /js/src/wasm/WasmJS.cpp:1455:7
    #12 0x5609c670d773 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
    #13 0x5609c670d773 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
    #14 0x5609c670d773 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:708:14
    #15 0x5609c672f5fa in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
    #16 0x5609c672f5fa in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
    #17 0x5609c670982b in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
    #18 0x5609c670982b in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
    #19 0x5609c670f103 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
    #20 0x5609c691dfe5 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /js/src/vm/CompilationAndEvaluation.cpp:517:10
    #21 0x5609c6433d0d in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /js/src/shell/js.cpp:1099:10
    #22 0x5609c6432ad0 in Process(JSContext*, char const*, bool, FileKind) /js/src/shell/js.cpp
    #23 0x5609c639da64 in ProcessArgs /js/src/shell/js.cpp:10736:10
    #24 0x5609c639da64 in Shell(JSContext*, js::cli::OptionParser*) /js/src/shell/js.cpp:10960:12
    #25 0x5609c639056c in main /js/src/shell/js.cpp:11392:12
    #26 0x7f4cdccff82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #27 0x5609c62a69b8 in _start (/mnt/LangFuzz/work/builds/tc/opt64asan/dist/bin/js+0x1ec29b8) (BuildId: 1854ffc74f53183b6d0ccea1f031c1e517437753)

0x6210000528e8 is located 24 bytes before 4080-byte region [0x621000052900,0x6210000538f0)
allocated by thread T0 here:
    #0 0x5609c633f2ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x5609c85a86c3 in js_arena_malloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:371:10
    #2 0x5609c85a86c3 in js_pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:587:26
    #3 0x5609c85a86c3 in maybe_pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:33:12
    #4 0x5609c85a86c3 in pod_arena_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:46:12
    #5 0x5609c85a86c3 in pod_malloc<js::wasm::Stk> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:72:12
    #6 0x5609c85a86c3 in mozilla::Vector<js::wasm::Stk, 0ul, js::SystemAllocPolicy>::convertToHeapStorage(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1027:30
    #7 0x5609c85250f4 in reserve /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1118:9
    #8 0x5609c85250f4 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:11294:12
    #9 0x5609c8609bab in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:721:12
    #10 0x5609c860ac84 in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:770:8
    #11 0x5609c860ac84 in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:901:24
    #12 0x5609c85d667f in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp:707:13
    #13 0x5609c85d5b77 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:729:8
    #14 0x5609c867899e in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /js/src/wasm/WasmJS.cpp:1455:7
    #15 0x5609c670d773 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
    [...]
    #29 0x7f4cdccff82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /js/src/wasm/WasmBCStk.h:169:30 in kind
Shadow bytes around the buggy address:
  0x621000052800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x621000052880: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
  0x621000052900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Heap left redzone:       fa

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Christian Holler (:decoder)]

This is an automated crash issue comment:

Summary: Hit MOZ_CRASH(Compiler bug: expected ref on stack) at /js/src/wasm/WasmBCStkMgmt-inl.h:899
Build version: mozilla-central revision 20230805-b0538d39e8c8
Build type: fuzzing-asan-opt
Runtime options: --no-threads --wasm-compiler=baseline --wasm-gc

Backtrace:

==474==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x56023ac36f15 bp 0x7ffc035d2ca0 sp 0x7ffc035d2be0 T0)
    #0 0x56023ac36f15 in js::wasm::BaseCompiler::popRef(js::wasm::Stk const&, js::wasm::RegRef) /js/src/wasm/WasmBCStkMgmt-inl.h:899:7
    #1 0x56023ab7ffcc in js::wasm::BaseCompiler::popRef() /js/src/wasm/WasmBCStkMgmt-inl.h:927:5
    #2 0x56023abde7db in js::wasm::BaseCompiler::emitI31Get(js::wasm::FieldWideningOp) /js/src/wasm/WasmBaselineCompile.cpp:7492:21
    #3 0x56023abf383a in js::wasm::BaseCompiler::emitBody() /js/src/wasm/WasmBaselineCompile.cpp:9993:13
    #4 0x56023ac29fb0 in emitFunction /js/src/wasm/WasmBaselineCompile.cpp:11140:8
    #5 0x56023ac29fb0 in js::wasm::BaselineCompileFunctions(js::wasm::ModuleEnvironment const&, js::wasm::CompilerEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmBaselineCompile.cpp:11319:12
    #6 0x56023ad52c2d in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /js/src/wasm/WasmGenerator.cpp:721:12
    #7 0x56023ad543cb in locallyCompileCurrentTask /js/src/wasm/WasmGenerator.cpp:770:8
    #8 0x56023ad543cb in js::wasm::ModuleGenerator::finishFuncDefs() /js/src/wasm/WasmGenerator.cpp:901:24
    #9 0x56023ad115b6 in bool DecodeCodeSection<js::wasm::Decoder>(js::wasm::ModuleEnvironment const&, js::wasm::Decoder&, js::wasm::ModuleGenerator&) /js/src/wasm/WasmCompile.cpp:707:13
    #10 0x56023ad10928 in js::wasm::CompileBuffer(js::wasm::CompileArgs const&, js::wasm::ShareableBytes const&, mozilla::UniquePtr<char [], JS::FreePolicy>*, mozilla::Vector<mozilla::UniquePtr<char [], JS::FreePolicy>, 0ul, js::SystemAllocPolicy>*, JS::OptimizedEncodingListener*) /js/src/wasm/WasmCompile.cpp:729:8
    #11 0x56023ade0c4b in js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*) /js/src/wasm/WasmJS.cpp:1455:7

We are also seeing this crash above, which seems closely related. If you think this is a different issue, let me know and I can file a separate bug with a test.

Comment 4

[Christian Holler (:decoder)]

Also seeing Hit MOZ_CRASH(Compiler bug: expected int on stack) at wasm/WasmBCStkMgmt-inl.h:737 (with int instead of ref)

Comment 5

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1847524 using build mozilla-central 20230807092029-06273ebf279a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 6

[Julian Seward [:jseward]]

This reproduces reliably if assertions are enabled. It fails in
BaseCompiler::emitI31New:

bool BaseCompiler::emitI31New() {
  Nothing value;
  if (!iter_.readConversion(ValType::I32, ValType(RefType::i31()), &value)) {
    return false;
  }

  RegI32 intValue = popI32();   <---- asserts inside here

The popI32 call asserts because the compiler's value stack is empty;
yet the preceding iter_.readConversion call succeeded. So it seems
as if the type stack and compiler's value stack have lost sync.

Yury observes that a function body of simply "unreachable ; i31.new" causes
the failure. That is, in the test case, .addBody([ 0,251, 32 ] is enough.

He further observes that this function (and others?) lacks the standard clause
if (deadCode_) { return true; }. Adding it fixes the problem, producing the
expected output

test.js:8:10 CompileError: at offset 26: unused values not explicitly dropped by end of block

We should perhaps audit these functions, and the Ion equivalents.

Comment 7

[Julian Seward [:jseward]]

This testcase requires wasm-GC, so marking everything as disabled.

Comment 8

[Julian Seward [:jseward]]

Assigning to myself, but Ryan/Yury -- feel free to reassign if you want.

Comment 9

[Christian Holler (:decoder)]

This is happening frequently, so marking as fuzzblocker.

Comment 10

[Ryan Hunt [:rhunt]]

Attachment: Bug 1847524 - wasm: Fix i31ref instructions in dead code. r?bvisness

i31ref instructions must validate in dead code, but should not
attempt to codegen.

Comment 11

[Pulsebot]

Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/27b2bca6565f
wasm: Fix i31ref instructions in dead code. r=yury

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/27b2bca6565f

Comment 13

[Daniel Veditz [:dveditz]]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter