Closed Bug 1664953 Opened 4 years ago Closed 4 years ago

AddressSanitizer: SEGV [@ EmitTruncate]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox80 --- unaffected
firefox81 --- unaffected
firefox82 --- fixed
firefox83 --- fixed

People

(Reporter: gkw, Assigned: dbezhetskov)

References

(Regression)

Details

(Keywords: regression, sec-other, testcase, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(2 files, 1 obsolete file)

debug stack
(deleted), text/plain
Details
ASan stack
(deleted), text/plain
Details 
(function (stdlib, n, heap) {
    "use asm";
    var Float64ArrayView = new stdlib.Float64Array(heap);
    function f(d1) {
      d1 = +d1;
      return d1;
      Float64ArrayView[~~.0 >> 3];
      return +8;
    }
    return f;
})();

AddressSanitizer:DEADLYSIGNAL
=================================================================
==25492==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x564cb13aaf06 bp 0x7ffd21935f70 sp 0x7ffd21935e20 T0)
==25492==The signal is caused by a READ memory access.
==25492==Hint: address points to the zero page.
    #0 0x564cb13aaf05 in EmitTruncate((anonymous namespace)::FunctionCompiler&, js::wasm::ValType, js::wasm::ValType, bool, bool) /home/skygentoo/trees/mozilla-central/js/src/jit/MIR.h
    #1 0x564cb136a601 in EmitBodyExprs((anonymous namespace)::FunctionCompiler&) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp
    #2 0x564cb1368115 in js::wasm::IonCompileFunctions(js::wasm::ModuleEnvironment const&, js::LifoAlloc&, mozilla::Vector<js::wasm::FuncCompileInput, 8ul, js::SystemAllocPolicy> const&, js::wasm::CompiledCode*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmIonCompile.cpp:5424:12
    #3 0x564cb133f890 in ExecuteCompileTask(js::wasm::CompileTask*, mozilla::UniquePtr<char [], JS::FreePolicy>*) /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:757:16
    #4 0x564cb13419e4 in js::wasm::ModuleGenerator::locallyCompileCurrentTask() /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:817:8
    #5 0x564cb13419e4 in js::wasm::ModuleGenerator::finishFuncDefs() /home/skygentoo/trees/mozilla-central/js/src/wasm/WasmGenerator.cpp:955:24
    #6 0x564cb12f95f2 in ModuleValidator<mozilla::Utf8Unit>::finish() /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:2139:13
    #7 0x564cb1155118 in RefPtr<js::wasm::Module const> CheckModule<mozilla::Utf8Unit>(JSContext*, js::frontend::CompilationInfo&, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, unsigned int*) /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:6408:27
    #8 0x564cb1155118 in bool DoCompileAsmJS<mozilla::Utf8Unit>(JSContext*, js::frontend::CompilationInfo&, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7065:7
    #9 0x564cb1155118 in js::CompileAsmJS(JSContext*, js::frontend::CompilationInfo&, js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>&, js::frontend::ParseNode*, bool*) /home/skygentoo/trees/mozilla-central/js/src/wasm/AsmJS.cpp:7094:10
    #10 0x564cafef1d14 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3642:8
    #11 0x564cafef1d14 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::asmJS(js::frontend::ListNode*) /home/skygentoo/trees/mozilla-central/js/src/frontend/Parser.cpp:3655:27
/snip

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/09390cf1d667
user:        Dmitry Bezhetskov
date:        Mon Sep 14 05:19:44 2020 +0000
summary:     Bug 1639153 - Part 6.6: Add tls dependency for truncate i32. r=lth

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ./configure --enable-address-sanitizer --disable-jemalloc --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests, tested on m-c rev b21d31971a86.

Full log coming up.

Flags: sec-bounty?
Attached file debug stack (deleted) —
Attached file ASan stack (deleted) —

Guessing related to bug 1639153?

Yeah... Dmitry, can you take a look?

Flags: needinfo?(dbezhetskov)

Sure, let me see

Flags: needinfo?(dbezhetskov)

I manage to reproduce it, thanks for the command Gary Kwong.
Will provide a fix soon.

I've uploaded the fast fix, but I thought that such construction guarantee that input is set:

if (!f.iter().readConversion(operandType, resultType, &input)) {
    return false;
}

Suddenly, input can be null for asm.js.

Assignee: nobody → dbezhetskov
Status: NEW → ASSIGNED

This is an NPE and sec-low/sec-other. The patch can land on Nightly, it's a Nightly-only regression.

Keywords: sec-other
Group: core-security → javascript-core-security
status-firefox80: --- → unaffected
status-firefox81: --- → unaffected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected
Severity: -- → S3
Priority: -- → P1

https://hg.mozilla.org/mozilla-central/rev/f999994ff312

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox82: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Flags: sec-bounty? → sec-bounty-

Backed out on request from lth for stability issues: https://hg.mozilla.org/mozilla-central/rev/41fa4179cc8c

Status: RESOLVED → REOPENED
status-firefox83: --- → affected
Resolution: FIXED → ---
Attachment #9175779 - Attachment is obsolete: true

I think we can close this? Not 100% sure why it was reopened.

Fixed because regressor bug 1639153 got backed out.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox82: affectedfixed
status-firefox83: affectedfixed
Resolution: --- → FIXED
No longer regressions: 1666051
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: