1924062 - Crash [@ DisassembleNative] with asm.js

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 20241009-8f29f058e4bd (opt build, run with --fuzzing-safe --ion-offthread-compile=off test.js):

function a() {
    "use asm"

    function b() {}
    return b
}
disnative(a)

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x000055d096926cb2 in DisassembleNative(JSContext*, unsigned int, JS::Value*) ()
#1  0x000055d0963bea75 in js::Interpret(JSContext*, js::RunState&) ()
#2  0x000055d0963b06a3 in js::RunScript(JSContext*, js::RunState&) ()
#3  0x000055d0963b013c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) ()
#4  0x000055d09644d29e in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) ()
#5  0x000055d09672acaa in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) ()
#6  0x000055d096729e08 in Process(JSContext*, char const*, bool, FileKind) ()
#7  0x000055d09613393b in main ()
rax	0x1960569007a8	27901559834536
rbx	0x7fbe87e35100	140456300335360
rcx	0xfff9800000000000	-1829587348619264
rdx	0xf	15
rsi	0x6e656b636162203b	7954882391399604283
rdi	0x7fbe86815ed0	140456277139152
rbp	0x7ffcec3f3550	140724272051536
rsp	0x7ffcec3f3410	140724272051216
r8	0x0	0
r9	0x42236ba5527db13d	4765771188485861693
r10	0x7fbe8ae02c48	140456350461000
r11	0x7fbe8ae02ae0	140456350460640
r12	0x1	1
r13	0x7fbe87e67090	140456300540048
r14	0xfffc800000000000	-985162418487296
r15	0x1	1
rip	0x55d096926cb2 <DisassembleNative(JSContext*, unsigned int, JS::Value*)+594>
=> 0x55d096926cb2 <_ZL17DisassembleNativeP9JSContextjPN2JS5ValueE+594>:	mov    0xa8(%rcx),%rdi
   0x55d096926cb9 <_ZL17DisassembleNativeP9JSContextjPN2JS5ValueE+601>:	mov    0x18(%rax),%ecx

I assume this is an issue with the new(?) DisassembleNative function, but marking s-s just in case we are exposing this somewhere relevant (e.g. Debugger/Devtools).

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 2

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 3

[Jan de Mooij [:jandem]]

disnative used to support asm.js functions but this got broken at some point so it would always return false for them. I fixed that bug a few days ago and that probably uncovered this.

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Bug 1924062 - Throw exception for asm.js module functions in disnative testing function. r?arai!

A function marked isAsmJSNative is either the outer module function or an actual
exported asm.js function. The module function can't be disassembled.

Comment 5

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20241011104937-326f317b0848.
The bug appears to have been introduced in the following build range:

Start: 4bdfb2c22e6e4b5600f66612c6d6121fe99769a1 (20241007093651)
End: 40fabb9c4a9796c03ef79a53a12de0d7e4016e13 (20241007092041)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4bdfb2c22e6e4b5600f66612c6d6121fe99769a1&tochange=40fabb9c4a9796c03ef79a53a12de0d7e4016e13

Comment 6

[Pulsebot]

Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3c25ee26a7ad
Throw exception for asm.js module functions in disnative testing function. r=arai

Comment 7

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/3c25ee26a7ad

Comment 8

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20241015041611-f8229eb11c85.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.