Closed Bug 1651468 Opened 4 years ago Closed 4 years ago

Assertion failure: masm.currentOffset() - base <= targetOffset, at wasm/WasmFrameIter.cpp:558

Categories

(Core :: JavaScript: WebAssembly, defect, P1)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox78 --- unaffected
firefox79 --- wontfix
firefox80 --- verified

People

(Reporter: decoder, Assigned: bbouvier)

References

(Regression)

Details

(4 keywords, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(2 files)

Testcase
(deleted), text/plain
Details
Bug 1651468: only check masm offset if we didnd't oom; r?dbezhetskov
(deleted), text/x-phabricator-request
Details

The following testcase crashes on mozilla-central revision 20200708-34fb169ef962 (debug build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

oomTest(function() { return parseModule(`
  function DiagModule(stdlib, foreign) {
    "use asm";
    var test = foreign.test;
    function square(x) {
        x = x|0;
    }
    function diag() {
        var x = 0.0;
        while (1) {
          test(1, x);
          x = x+1.0
        }
    }
    function diag_1() {}
    return { diag: diag };
  }
`)});

Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x00005555568f7f87 in js::wasm::GenerateFunctionPrologue(js::jit::MacroAssembler&, js::wasm::FuncTypeIdDesc const&, mozilla::Maybe<unsigned int> const&, js::wasm::FuncOffsets*) ()
#1  0x000055555661ef11 in js::jit::CodeGenerator::generateWasm(js::wasm::FuncTypeIdDesc, js::wasm::BytecodeOffset, js::wasm::ArgTypeVector const&, js::jit::MachineState const&, unsigned long, js::wasm::FuncOffsets*, js::wasm::StackMaps*) ()
#2  0x0000555556918138 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#3  0x00005555569032dd in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) ()
#4  0x00005555569040d7 in js::wasm::ModuleGenerator::finishFuncDefs() ()
#5  0x00005555568a8f98 in ModuleValidator<char16_t>::finish() ()
#6  0x0000555556828c50 in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, bool*) ()
#7  0x00005555561030be in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS(js::frontend::ListNode*) ()
#8  0x00005555560f14af in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective(js::frontend::ListNode*, js::frontend::ParseNode*, bool*) ()
#9  0x00005555560e4cfd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) ()
#10 0x00005555560eeb74 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::FunctionBodyType) ()
#11 0x00005555560ed7e0 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionNode**, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) ()
#12 0x0000555556102f44 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunction(js::frontend::FunctionNode*, js::frontend::ParseContext*, JS::Handle<JSAtom*>, js::FunctionFlags, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) ()
#13 0x00005555560e6478 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction(js::frontend::FunctionNode**, JS::Handle<JSAtom*>, js::FunctionFlags, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) ()
#14 0x00005555560f070e in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition(js::frontend::FunctionNode*, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool) ()
#15 0x00005555560e8589 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionStmt(unsigned int, js::frontend::YieldHandling, js::frontend::DefaultHandling, js::FunctionAsyncKind) ()
#16 0x00005555560e6d75 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementListItem(js::frontend::YieldHandling, bool) ()
#17 0x00005555560e4c35 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) ()
#18 0x000055555611d6b0 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::moduleBody(js::frontend::ModuleSharedContext*) ()
#19 0x000055555616d60c in js::frontend::ModuleCompiler<char16_t>::compile(js::frontend::CompilationInfo&) ()
#20 0x00005555561364ce in js::frontend::ParseModule(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, js::ScriptSourceObject**) ()
#21 0x0000555556136f62 in js::frontend::CompileModule(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&) ()
#22 0x00005555557e4b56 in ParseModule(JSContext*, unsigned int, JS::Value*) ()
#23 0x000027624b39a17f in ?? ()
#24 0x0000000000000008 in ?? ()
#25 0x00007fffffffb170 in ?? ()
#26 0x0000000000000000 in ?? ()
rax	0x55555716f55f	93825021703519
rbx	0xffffff14	4294967060
rcx	0x5555583b8840	93825040877632
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffff4e90	140737488309904
rsp	0x7fffffff4e20	140737488309792
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f9bd40	140737353727296
r10	0x58	88
r11	0x7ffff6dac7a0	140737334921120
r12	0xf0	240
r13	0x7fffffff6830	140737488316464
r14	0x5555570f2a97	93825021192855
r15	0x7fffffff6420	140737488315424
rip	0x5555568f7f87 <js::wasm::GenerateFunctionPrologue(js::jit::MacroAssembler&, js::wasm::FuncTypeIdDesc const&, mozilla::Maybe<unsigned int> const&, js::wasm::FuncOffsets*)+1239>
=> 0x5555568f7f87 <_ZN2js4wasm24GenerateFunctionPrologueERNS_3jit14MacroAssemblerERKNS0_14FuncTypeIdDescERKN7mozilla5MaybeIjEEPNS0_11FuncOffsetsE+1239>:	movl   $0x22e,0x0
   0x5555568f7f92 <_ZN2js4wasm24GenerateFunctionPrologueERNS_3jit14MacroAssemblerERKNS0_14FuncTypeIdDescERKN7mozilla5MaybeIjEEPNS0_11FuncOffsetsE+1250>:	callq  0x5555558485fe <abort>

Marking s-s because the assert looks potentially dangerous.

Attached file Testcase (deleted) —
Flags: needinfo?(bbouvier)

Not dangerous at all: the assertion just doesn't hold if we oom'd the masm, and after such an oom we'll just abort compilation with an error message.

Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Flags: needinfo?(bbouvier)
Regressed by: 1639153
Has Regression Range: --- → yes
Group: javascript-core-security
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200713095122-2c8bc998c107. The bug appears to have been introduced in the following build range: > Start: 5aedde81baa37b849c0868186498ef14cc2a0f92 (20200609115605) > End: f1beae5af8565899c72dfccafe9a7eacdb0c708e (20200609120409) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5aedde81baa37b849c0868186498ef14cc2a0f92&tochange=f1beae5af8565899c72dfccafe9a7eacdb0c708e
Pushed by bbouvier@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4bdbe6d4d658 only check masm offset if we didnd't oom;
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/4bdbe6d4d658

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox80: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Status: RESOLVED → VERIFIED
status-firefox80: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200715215205-c4186bb32c30. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: