621419 - Use-after-free Crash [@ JSObject::lookupProperty] after gc()

Status: RESOLVED DUPLICATE of bug 621375

(Core :: JavaScript Engine, defect)

Description

[Alex Miller]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

A use-after-free issue exists in the js shell. 

Testcase:
function z() { return evalcx('split').Object.__lookupGetter__; }
var a = z();
gc();
a();



Reproducible: Always

Steps to Reproduce:
1. Load that testcase
2. Use-after-free crash (trying to access 0xdadadb32)

Actual Results:  
Crash due to invalid (possibly arbitrary) memory access. (Not a crash reading freed memory)

Expected Results:  
Syntax error or exception of sorts... Anything but an exploitable crash.

Faulting instruction: mov     eax,dword ptr [eax]

Comment 1

[Alex Miller]

Just by looking at the testcase, I think the following is happening:
evalcx('split') is splitting the returned value of the function. Because one half of the split object is a null property (or whatever it's called), that half is collected by gc() because gc() doesn't seem to collect split objects correctly. Then when the function is finally called, the half of the object containing the properties was freed, which leads to accessing freed memory.

Comment 2

[Jesse Ruderman]

Dup of bug 619004 / bug 621375?  The testcase seems very similar to the one in bug 621375.

Comment 3

[Alex Miller]

(In reply to comment #2)
> Dup of bug 619004 / bug 621375?  The testcase seems very similar to the one in
> bug 621375.

Yeah, it is pretty similar. I would say not quite a dup because of the different crash signature, different changeset (a6438d91ca4d), and the fact that this occurs regardless of any JITs that are enabled.

Comment 4

[Daniel Veditz [:dveditz]]

I assume this is a dupe of bug 621375 and will be fixed with it, but just in case not leaving open and "depends on" 621375 so this testcase can be separately verified.