1886870 - Crash [@ __strlen_avx2] or [@ AutoMessageArgs::init]

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

oomTest(function () {
  new WebAssembly.Instance(
    new WebAssembly.Module(wasmTextToBinary('(import "m" "f" (func $f))')),
    {}
  );
});

(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00005555574850d5 in AutoMessageArgs::init<js::FrontendAllocator> (this=this@entry=0x7fffffffbc00, alloc=alloc@entry=0x7fffffffbd08, argsArg=argsArg@entry=0x0, countArg=<optimized out>, typeArg=typeArg@entry=js::ArgumentsAreUTF8, ap=0x7fffffffbf50) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:269
#2  0x00005555574789eb in ExpandErrorArgumentsHelper<JSErrorReport> (fc=fc@entry=0x7fffffffbd08, callback=<optimized out>, userRef=<optimized out>, errorNumber=errorNumber@entry=382, messageArgs=messageArgs@entry=0x0, argumentsType=js::ArgumentsAreUTF8, reportp=0x7fffffffbdf0, ap=0x7fffffffbf50) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:368
#3  0x00005555574793e8 in js::ExpandErrorArgumentsVA (fc=0x7fffffffbd08, callback=0x7fffffffbd08, userRef=0x0, errorNumber=382, argumentsType=4294950736, reportp=0x7fffffffbdf0, ap=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:459
#4  js::ReportErrorNumberVA (cx=cx@entry=0x7ffff5c3d200, isWarning=isWarning@entry=js::IsWarning::No, callback=0x7fffffffbd08, callback@entry=0x555557473750 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=382, argumentsType=4294950736, argumentsType@entry=js::ArgumentsAreUTF8, ap=0x7fffffffbf50) at /home/ubu32gx500/trees/mozilla-central/js/src/vm/ErrorReporting.cpp:482
#5  0x00005555578e230e in JS_ReportErrorNumberUTF8VA (ap=0x7fffffffbf50, cx=<optimized out>, errorCallback=<optimized out>, userRef=<optimized out>, errorNumber=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/jsapi.cpp:3822
#6  JS_ReportErrorNumberUTF8 (cx=cx@entry=0x7ffff5c3d200, errorCallback=0x555557473750 <js::GetErrorMessage(void*, unsigned int)>, userRef=userRef@entry=0x0, errorNumber=errorNumber@entry=382) at /home/ubu32gx500/trees/mozilla-central/js/src/jsapi.cpp:3812
#7  0x000055555866a239 in js::wasm::GetImports (cx=cx@entry=0x7ffff5c3d200, module=..., importObj=importObj@entry=..., imports=imports@entry=0x7fffffffc1e0) at /home/ubu32gx500/trees/mozilla-central/js/src/wasm/WasmJS.cpp:181
#8  0x00005555586752c7 in js::WasmInstanceObject::construct (cx=0x7ffff5c3d200, argc=<optimized out>, vp=<optimized out>) at /home/ubu32gx500/trees/mozilla-central/js/src/wasm/WasmJS.cpp:1801
#9  0x000014762dd5f029 in ?? ()
#10 0x0000000000000073 in ?? ()
#11 0x00007fffffffc330 in ?? ()
#12 0x0000000000000001 in ?? ()
#13 0x00007fffffffc388 in ?? ()
#14 0x0000000000000000 in ?? ()
(gdb)

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev d9466bebb4c9.

This seems to go as far back as m-c rev e963fffcb3a0, I'll keep trying to bisect. Let me know if this is a benign OOM issue.

Setting s-s to be safe. Yury/Ryan, I'm guessing it's WebAssembly here as a start.

Comment 1

[Yury Delendik (:yury)]

The best guess it is happening after toQuotedString. I checked that almost all calls to this method followed by JS_ReportErrorNumberUTF8 calls thus results are used in the calls. During OOM, the toQuotedString may return nullptr, and JS_ReportErrorNumberUTF8 call will just crash in release due to access to near-0 address.

Ideally the JS_ReportErrorNumberUTF8 shall be protect in case of OOM.

Comment 2

[Yury Delendik (:yury)]

Attachment: Bug 1886870 - Protect JS_ReportErrorNumberUTF8 from OOM. r?rhunt

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/94a80734c21c
user:        Ryan Hunt
date:        Thu Jun 09 21:51:53 2022 +0000
summary:     Bug 1762658 - wasm: Add CacheableName to support names with null terminator before end. r=yury

Bug 1762658 may be the regressor.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1762658

Comment 5

[Ryan Hunt [:rhunt]]

Yury, this seems to be a guaranteed null-ptr crash. Can you confirm? If so, this is not security sensitive.

Comment 6

[Yury Delendik (:yury)]

(In reply to Ryan Hunt [:rhunt] from comment #5)

Yury, this seems to be a guaranteed null-ptr crash. Can you confirm? If so, this is not security sensitive.

Indeed. It is null-ptr crash.

Comment 7

[Pulsebot]

Pushed by ydelendik@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fade6f3ba894
Protect JS_ReportErrorNumberUTF8 from OOM. r=rhunt

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/fade6f3ba894

Comment 9

[Donal Meehan [:dmeehan]]

Tracking just incase, but it looks like Comment 5 and Comment 6 question if this a secbug.
Does this need an uplift to 125 beta and 115 esr?

Comment 10

[Yury Delendik (:yury)]

Does this need an uplift to 125 beta and 115 esr?

Nope. The crash may happen only during OOM. It will need extra attention only if becomes as a top crasher.