Closed
Bug 565373
Opened 14 years ago
Closed 14 years ago
TM: Invalid write of size 8 with testcase
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: regression, testcase, valgrind, Whiteboard: [sg:critical?][ccbr][critsmash:patch])
Attachments
(1 file)
1.26 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
for(x in <x>></x>) (function () { (function f(a) { g(); f(a) }()); function g() { let(b) function () { return }() } }()) Pass this in as a CLI argument to js shell on TM tip with -j on Ubuntu 10.04 64-bit, it will show an "*** glibc detected *** ./js-opt-64-tm-linux: corrupted double-linked list: 0x00000000020b77d0 ***" error. This occurs both in dbg and opt builds. s-s because I don't know how scary this is. Testing in valgrind reveals: $ valgrind ./js-opt-64-tm-linux -j w42174-cj-in.js ==17639== Memcheck, a memory error detector ==17639== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al. ==17639== Using Valgrind-3.6.0.SVN-Debian and LibVEX; rerun with -h for copyright info ==17639== Command: ./js-opt-64-tm-linux -j w42174-cj-in.js ==17639== ==17639== Invalid write of size 8 ==17639== at 0x41ADF4C: ??? ==17639== by 0x51A3E6: js::ExecuteTree(JSContext*, js::TreeFragment*, unsigned int&, js::VMSideExit**, js::VMSideExit**) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x51FC34: js::MonitorLoopEdge(JSContext*, unsigned int&, js::RecordReason) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x54933D: js_Interpret (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x4573CC: js_Execute (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x40B0E5: JS_ExecuteScript (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x406294: Process(JSContext*, JSObject*, char*, int) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x406EA3: main (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== Address 0x5ff28f8 is 0 bytes after a block of size 69,544 alloc'd ==17639== at 0x4C27CC1: operator new(unsigned long) (vg_replace_malloc.c:261) ==17639== by 0x4F9444: js::InitJIT(js::TraceMonitor*) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x42277F: js_InitThreads(JSRuntime*) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x40DB10: JSRuntime::init(unsigned int) (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x40DB91: JS_Init (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== by 0x4068A4: main (in /home/fuzz1/Desktop/3interesting/js-opt-64-tm-linux) ==17639== w42174-cj-in.js:4: InternalError: too much recursion ==17639== ==17639== HEAP SUMMARY: ==17639== in use at exit: 0 bytes in 0 blocks ==17639== total heap usage: 1,101 allocs, 1,101 frees, 3,586,497 bytes allocated ==17639== ==17639== All heap blocks were freed -- no leaks are possible ==17639== ==17639== For counts of detected and suppressed errors, rerun with: -v ==17639== ERROR SUMMARY: 5 errors from 1 contexts (suppressed: 4 from 4)
Comment 1•14 years ago
|
||
Did this start recently?
Reporter | ||
Comment 2•14 years ago
|
||
(In reply to comment #1) > Did this start recently? No idea (autoBisect.py is still under test) - earlier similar bug is bug 563243.
Reporter | ||
Comment 3•14 years ago
|
||
I'm on changeset tm-41833-d9ef93881da0 64-bit Ubuntu btw.
Updated•14 years ago
|
Assignee: general → gal
blocking2.0: --- → ?
Priority: -- → P1
Whiteboard: [sg:investigate?]
Updated•14 years ago
|
Whiteboard: [sg:investigate?] → [sg:critical?]
Reporter | ||
Comment 4•14 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > Did this start recently? > > No idea (autoBisect.py is still under test) - earlier similar bug is bug > 563243. autoBisect shows this is probably related to bug 525120: The first bad revision is: changeset: 34373:252097674133 user: Luke Wagner date: Wed Oct 28 16:44:44 2009 -0700 summary: Bug 525120 - move native stack off the C stack (fixes native global frame alignment) (r=dvander)
Blocks: 525120
Comment 5•14 years ago
|
||
Man, valgrind is awesome. It informs me that the write is to one-past-the-end of TraceNativeStorage. This looks like an off-by-one error that is just being exposed by moving the native storage to a place where valgrind can more easily see the error.
Reporter | ||
Comment 6•14 years ago
|
||
(In reply to comment #5) > Man, valgrind is awesome. It informs me that the write is to one-past-the-end > of TraceNativeStorage. This looks like an off-by-one error that is just being > exposed by moving the native storage to a place where valgrind can more easily > see the error. More accurately, Valgrind helped diagnose the issue. This bug apparently was detected by jsfunfuzz as an opt crash in a 64-bit js shell build, and Valgrind played no part in this..
Comment 7•14 years ago
|
||
(In reply to comment #6) > (In reply to comment #5) > More accurately, Valgrind helped diagnose the issue. That's what I said. > This bug apparently was detected by jsfunfuzz as an opt crash in a 64-bit js > shell build, and Valgrind played no part in this.. Don't worry, I think that jsfunfuzz is awesome too ;)
Assignee | ||
Comment 8•14 years ago
|
||
Silly bug, easy fix. We're not checking the tree's max calldepth usage when seeing if it's okay to recursive. Stack usage already had this check, so no worries there.
Updated•14 years ago
|
Attachment #445827 -
Flags: review?(lw) → review+
Assignee | ||
Comment 9•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/9d88c701b46f This is most likely exploitable though not easily by any means.
Whiteboard: [sg:critical?] → [sg:critical][ccbr] fixed-in-tracemonkey
Comment 10•14 years ago
|
||
this is failing a trace test
Whiteboard: [sg:critical][ccbr] fixed-in-tracemonkey → [sg:critical][ccbr]
Updated•14 years ago
|
Whiteboard: [sg:critical][ccbr] → [sg:critical][ccbr][critsmash:patch]
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/9d88c701b46f
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
No longer blocks: 575263
blocking1.9.2: --- → .8+
status1.9.2:
--- → wanted
Whiteboard: [sg:critical][ccbr][critsmash:patch] → [sg:critical?][ccbr][critsmash:patch]
Comment 13•14 years ago
|
||
Any chance of getting this backported to 1.9.2 for 3.6.9? Code freeze is scheduled for tomorrow night for that release btw. We were tracking bug 575263 as a blocker, and this bug may have fixed that issue on trunk.
Assignee | ||
Comment 14•14 years ago
|
||
Earlier branches aren't affected by this bug.
blocking1.9.2: .9+ → ---
Updated•14 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
Comment 15•12 years ago
|
||
Tracer has been long gone on trunk, marking verified.
Status: RESOLVED → VERIFIED
Comment 16•11 years ago
|
||
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•