Crash [@ JSObject::getClass] with WebAssembly and Debugger
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
People
(Reporter: decoder, Assigned: yury)
References
Details
(5 keywords, Whiteboard: [bugmon:update,bisect][adv-main122+r])
Crash Data
Attachments
(4 files)
The following testcase crashes on mozilla-central revision 20231222-e22abf3976f2 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --more-compartments):
evaluate(`
function wasmEvalText(str, imports) {
binary = wasmTextToBinary(str)
try {
m = new WebAssembly.Module(binary)} catch {}
return new WebAssembly.Instance(m, imports)}
g23 = newGlobal()
g23.parent = this
g23.eval(\`
Debugger(parent).onEnterFrame = function() {}
\`)
base = wasmEvalText(\`(module
(global (export "rngState")
(mut i32) (i32.const 1)
)
(type $tArrayI32 (array (mut i32))) (type $tArrayArrayI32 (array (mut (ref null $tArrayI32)))) (func (result (ref $tArrayI32))
(i32.const 0)
(array.new $tArrayI32
(i32.const 0)
)
)
(func (export "createPrimaryArrayLoop")
(param i32) (param $arrarr (ref $tArrayArrayI32))
(result (ref $tArrayArrayI32))
(local.get $arrarr)
)
)\`)
t33 =
\`(module
(type $tArrayI32 (array (mut i32))) (type $tArrayArrayI32 (array (mut (ref null $tArrayI32)))) (import "" "rngState" (global $rngState (mut i32)))
(import "" "createPrimaryArrayLoop"
(func $createPrimaryArrayLoop
(param i32(ref $tArrayArrayI32))
(result (ref $tArrayArrayI32))))
(func $createPrimaryArray
(result (ref $tArrayArrayI32))
(return_call $createPrimaryArrayLoop
(i32.const 0)
(array.new $tArrayArrayI32 (ref.null $tArrayI32) (i32.const 1500)))
)
(func (export "churn") (result i32)
(local $finalSum i32)
(local $arrarr (ref $tArrayArrayI32))
(local.set $arrarr (call $createPrimaryArray))
(i32.xor (local.get $finalSum) (global.get $rngState))
)
)\`;
i30 = wasmEvalText(t33, {"": base.exports});
fns = i30.exports;
(fns.churn())`)
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556eaf184 in JSObject::getClass() const ()
#1 0x00005555582d18ac in js::wasm::AnyRef::toJSValue() const ()
#2 0x000055555850f856 in bool ToJSValue_anyref<js::wasm::NoDebug>(JSContext*, void*, JS::MutableHandle<JS::Value>) ()
#3 0x000055555850caf1 in bool js::wasm::ToJSValue<js::wasm::NoDebug>(JSContext*, void const*, js::wasm::PackedType<js::wasm::FieldTypeTraits>, JS::MutableHandle<JS::Value>, js::wasm::CoercionLevel) ()
#4 0x0000555558415708 in js::wasm::ResultsToJSValue(JSContext*, js::wasm::ResultType, void*, mozilla::Maybe<char*>, JS::MutableHandle<JS::Value>, js::wasm::CoercionLevel) ()
#5 0x00005555583dbce0 in js::wasm::DebugFrame::updateReturnJSValue(JSContext*) ()
#6 0x00005555583b551d in WasmHandleDebugTrap() ()
#7 0x00001182f491283b in ?? ()
#8 0x00007fffffffbc60 in ?? ()
#9 0x0e5f1dd2a9ce8f04 in ?? ()
#10 0x0000000000000000 in ?? ()
rax 0xffffd555559925c0 -46912491674176
rbx 0xffffd555559925c0 -46912491674176
rcx 0x0 0
rdx 0x7fffffffbdf8 140737488338424
rsi 0xffffd555559925c0 -46912491674176
rdi 0xffffd555559925c0 -46912491674176
rbp 0x7fffffffba20 140737488337440
rsp 0x7fffffffba20 140737488337440
r8 0x0 0
r9 0xf98ffe1 261685217
r10 0x5555558d7ce6 93824995917030
r11 0x4d4 1236
r12 0x7fffffffbaa8 140737488337576
r13 0xc8 200
r14 0x7ffff3d34900 140737284098304
r15 0x7fffffffbde8 140737488338408
rip 0x555556eaf184 <JSObject::getClass() const+4>
=> 0x555556eaf184 <_ZNK8JSObject8getClassEv+4>: mov (%rdi),%rax
0x555556eaf187 <_ZNK8JSObject8getClassEv+7>: test $0x7,%al
Marking s-s due to type of crash, but this involves the Debugger, so likely not more than sec-moderate at most.
Reporter | ||
Comment 1•6 months ago
|
||
Reporter | ||
Comment 2•6 months ago
|
||
Comment 3•6 months ago
|
||
Unable to reproduce bug 1871605 using build mozilla-central 20231222164453-e22abf3976f2. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•6 months ago
|
Assignee | ||
Comment 4•6 months ago
|
||
Updated•6 months ago
|
Assignee | ||
Comment 5•6 months ago
|
||
The implementation of bug 1866839 was incomplete: reference type results needs to be discarded/not tracked.
Pushed by ydelendik@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4e6235b33d7a Use different LeaveFrame marker for tail calls. r=rhunt
Comment 7•6 months ago
|
||
Comment 8•6 months ago
|
||
:yury, out of caution I set the affected versions - though this still needs the correct regressor set.
Could you confirm the regressor, and then a beta uplift request as needed?
Assignee | ||
Comment 9•6 months ago
|
||
(In reply to Donal Meehan [:dmeehan] from comment #8)
Could you confirm the regressor,
Bug 1866839 can be considered as regressor or incomplete implementation.
and then a beta uplift request as needed?
The beta uplift will be requested.
Assignee | ||
Comment 10•6 months ago
|
||
Comment on attachment 9370963 [details]
Bug 1871605 - Use different LeaveFrame marker for tail calls. r?rhunt
Beta/Release Uplift Approval Request
- User impact if declined: Crash in devtools with some wasm files
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Affects only debugger and wasm (tail calls)
- String changes made/needed:
- Is Android affected?: Unknown
Comment 11•6 months ago
|
||
Comment on attachment 9370963 [details]
Bug 1871605 - Use different LeaveFrame marker for tail calls. r?rhunt
Approved for 122.0b8
Comment 12•6 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/0b555acf55e7
Updated•6 months ago
|
Updated•6 months ago
|
Updated•5 months ago
|
Comment 13•5 months ago
|
||
Updated•5 months ago
|
Updated•5 months ago
|
Comment 14•2 months ago
|
||
Making Firefox 122 security bugs public. [bugspam filter string: Pilgarlic-Towers]
Description
•