1902906 - OOB Read in WasmShareable.h:70

Status: RESOLVED DUPLICATE of bug 1886703

(Core :: JavaScript: WebAssembly, defect)

Description

[Nils Bars]

Attachment: bug.js

Steps to reproduce:

Checkout commit 97eeb1c55a5c73bd3938d4899685321a7967333b and invoke the js shell as follows:

js --fuzzing-safe --fast-warmup --gc-zeal=14,134 <testcase>

Actual results:

[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 321857 edges
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3778461==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x17b66f45c1c8 (pc 0x555557af1023 bp 0x7fffffffd2b0 sp 0x7fffffffd250 T3778461)
==3778461==The signal is caused by a READ memory access.
    #0 0x555557af1023 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::new_<unsigned char const&>(unsigned char*, unsigned char const&) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:251:12
    #1 0x555557af1023 in void mozilla::detail::VectorImpl<unsigned char, 0ul, js::SystemAllocPolicy, true>::copyConstruct<unsigned char>(unsigned char*, unsigned char const*, unsigned char const*) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:284:7
    #2 0x555557af1023 in void mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::internalAppend<unsigned char>(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1443:3
    #3 0x555557af0cfd in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned char const*) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1433:3
    #4 0x555557acc486 in bool mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy>::append<unsigned char>(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/include/mozilla/Vector.h:1516:10
    #5 0x555557acc486 in js::wasm::ShareableBytes::append(unsigned char const*, unsigned long) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/wasm/WasmShareable.h:70:18
    #6 0x555557acc486 in WasmDumpIon(JSContext*, unsigned int, JS::Value*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/builtin/TestingFunctions.cpp:2110:18
    #7 0x5555572a2f6e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:487:13
    #8 0x5555572a21cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:581:12
    #9 0x5555572b8781 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:653:10
    #10 0x5555572b8781 in js::Interpret(JSContext*, js::RunState&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:3291:16
    #11 0x5555572a11d1 in js::RunScript(JSContext*, js::RunState&) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:459:13
    #12 0x5555572a63b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:846:13
    #13 0x5555572a6bbc in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/Interpreter.cpp:878:10
    #14 0x5555574efe79 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:494:10
    #15 0x5555574f00f7 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/vm/CompilationAndEvaluation.cpp:518:10
    #16 0x5555571e0cfe in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:1194:10
    #17 0x5555571e0065 in Process(JSContext*, char const*, bool, FileKind) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp
    #18 0x55555719a91e in ProcessArgs(JSContext*, js::cli::OptionParser*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:11257:10
    #19 0x55555719a91e in Shell(JSContext*, js::cli::OptionParser*) /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:11509:12
    #20 0x555557192921 in main /home/user/fuzzilli-ng/targets/spidermonkey/src/js/src/shell/js.cpp:12035:12
    #21 0x7ffff7a44d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7ffff7a44e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #23 0x55555715c5c8 in _start (/home/user/fuzzilli-ng/targets/spidermonkey/src/fuzzbuild/dist/bin/js+0x1c085c8) (BuildId: 4fb545216ce3e6743aa599f3a1718dda)

Comment 1

[Jan de Mooij [:jandem]]

The stack trace has WasmDumpIon. Is this a duplicate of bug 1886703?

Comment 2

[Ryan Hunt [:rhunt]]

I think so. I'm going to get a fix for that one soon.

Summary from that bug:

Yes, this test is using that shell builtin. This looks like a bug in that code due to the MIR dumping logic not performing the initialization that ModuleGenerator normally does in, which assigns offsets to global variables. Low severity because this is only available in the shell for helping debug code generation. I'll see if I can get a fix written.