1894623 - Null-deref in WasmIonCompile.cpp:5009

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 73271a6e76f52eff6d2783d12e0fc749b4080701 the attached sample crashes with a null-deref when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
Bisecting the issue points to commit 53f37d2ad3a5988c11abeb1d4257f1b6b4cd7eba related to bug 1837683.

const v1 = WebAssembly.Module;
const v4 = wasmTextToBinary(`\n(module\n    (func $main\n      i32.const 0\n      (@metadata.code.branch_hint "\\00")\n      if\n        i32.const 0\n        (@metadata.code.branch_hint "\\01")\n        br_if 0\n      end\n    )\n    (export "_main" (func $main))\n)`);
v4[71] = v4;
new v1(v4);

#0  EmitIf (f=...) at js/src/wasm/WasmIonCompile.cpp:5009
#1  0x0000555558b59f30 in EmitBodyExprs (f=...) at js/src/wasm/WasmIonCompile.cpp:8088
#2  0x0000555558b3b6cd in IonBuildMIR (d=..., moduleEnv=..., func=..., locals=..., mir=..., tryNotes=..., observedFeatures=0x7fffffffa914,
    error=<optimised out>) at js/src/wasm/WasmIonCompile.cpp:9354
#3  0x0000555558b3a97e in js::wasm::IonCompileFunctions (moduleEnv=..., compilerEnv=..., lifo=..., inputs=..., code=0x7ffff5463f80,
    error=error@entry=0x7fffffffd700) at js/src/wasm/WasmIonCompile.cpp:9425
#4  0x0000555558b1a50b in ExecuteCompileTask (task=0x7ffff5463bd0, error=0x7fffffffd700) at js/src/wasm/WasmGenerator.cpp:730
#5  0x0000555558b1b2e7 in js::wasm::ModuleGenerator::locallyCompileCurrentTask (this=0x7fffffffc6a0)
    at js/src/wasm/WasmGenerator.cpp:785
#6  js::wasm::ModuleGenerator::finishFuncDefs (this=0x7fffffffc6a0) at js/src/wasm/WasmGenerator.cpp:916
#7  0x0000555558af30a1 in DecodeCodeSection<js::wasm::Decoder, js::wasm::ModuleGenerator> (env=..., d=..., mg=...)
    at js/src/wasm/WasmCompile.cpp:795
#8  0x0000555558af2d85 in js::wasm::CompileBuffer (args=..., bytecode=..., error=error@entry=0x7fffffffd700, warnings=warnings@entry=0x7fffffffd728,
    listener=listener@entry=0x0) at js/src/wasm/WasmCompile.cpp:817
#9  0x0000555558b45c75 in js::WasmModuleObject::construct (cx=0x7ffff743c500, argc=<optimised out>, vp=<optimised out>)
    at js/src/wasm/WasmJS.cpp:1514
#10 0x0000555557275167 in CallJSNative (cx=cx@entry=0x7ffff743c500, 
    native=native@entry=0x555558b459e0 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>,
    reason=reason@entry=js::CallReason::Call, args=...) at js/src/vm/Interpreter.cpp:480
#11 0x00005555572b424a in CallJSNativeConstructor (cx=cx@entry=0x7ffff743c500,  
    native=0x555558b459e0 <js::WasmModuleObject::construct(JSContext*, unsigned int, JS::Value*)>, args=...)
    at js/src/vm/Interpreter.cpp:496
#12 0x0000555557276eda in InternalConstruct (cx=cx@entry=0x7ffff743c500, args=..., reason=reason@entry=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:702
#13 0x000055555728a22c in js::ConstructFromStack (cx=0x7ffff743c500, args=..., reason=<optimised out>)
    at js/src/vm/Interpreter.cpp:749
#14 js::Interpret (cx=0x7ffff743c500, state=...) at js/src/vm/Interpreter.cpp:3056
#15 0x00005555572738d7 in MaybeEnterInterpreterTrampoline (cx=0x7fffffffa168, cx@entry=0x7ffff743c500, state=...)
    at js/src/vm/Interpreter.cpp:394
#16 0x00005555572735ca in js::RunScript (cx=cx@entry=0x7ffff743c500, state=...) at js/src/vm/Interpreter.cpp:452
#17 0x00005555572785a2 in js::ExecuteKernel (cx=cx@entry=0x7ffff743c500, script=script@entry=..., envChainArg=envChainArg@entry=...,
    evalInFrame=evalInFrame@entry=..., result=result@entry=...) at js/src/vm/Interpreter.cpp:839
#18 0x0000555557278dad in js::Execute (cx=cx@entry=0x7ffff743c500, script=script@entry=..., envChain=..., rval=rval@entry=...)
    at js/src/vm/Interpreter.cpp:871
#19 0x00005555574c6d5a in ExecuteScript (cx=cx@entry=0x7ffff743c500, envChain=..., script=..., rval=rval@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:494
#20 0x00005555574c6fd8 in JS_ExecuteScript (cx=cx@entry=0x7ffff743c500, scriptArg=scriptArg@entry=...)
    at js/src/vm/CompilationAndEvaluation.cpp:518
#21 0x00005555571b0cb8 in RunFile (cx=0x7ffff743c500, filename=<optimised out>, file=<optimised out>, compileMethod=CompileUtf8::DontInflate,
    compileOnly=false, fullParse=<optimised out>) at js/src/shell/js.cpp:1196
#22 0x00005555571b017e in Process (cx=cx@entry=0x7ffff743c500, filename=0x7fffffff9f60 '\252' <repeats 200 times>..., forceTTY=<optimised out>,
    kind=kind@entry=FileScript) at js/src/shell/js.cpp:1782
#23 0x000055555716c003 in ProcessArgs (cx=0x7ffff743c500, op=0x7fffffffe638) at js/src/shell/js.cpp:11146
#24 Shell (cx=0x7ffff743c500, op=op@entry=0x7fffffffe638) at js/src/shell/js.cpp:11405
#25 0x00005555571643f9 in main (argc=<optimised out>, argv=0x7fffffffe8c8) at js/src/shell/js.cpp:11918

Comment 1

[Julien Pages [:jpages]]

Attachment: Bug 1894623 - wasm: don't read branch hints if we are inside dead code. r=yury

Comment 3

[Yury Delendik (:yury)]

Per https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#7878 the branch hinting is available only in nightly, we can add the test to the fix.

Comment 4

[Pulsebot]

Pushed by jpages@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/986f54f9a9c8
wasm: don't read branch hints if we are inside dead code. r=yury

Comment 5

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/986f54f9a9c8