Closed
Bug 759719
Opened 12 years ago
Closed 12 years ago
Crash [@ malloc_consolidate] or Glibc abort with memory corruption, related to invalid access in JSScript::JITScriptHandle::setValid
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox14 | + | unaffected |
firefox15 | + | fixed |
firefox16 | + | fixed |
firefox-esr10 | - | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: js-triage-needed [advisory-tracking-])
Crash Data
Attachments
(2 files)
2.50 KB,
application/javascript
|
Details | |
1.23 KB,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The attached test crashes on mozilla-central revision e8a025a7101b (options -m -n). Valgrind on debug shows: ==17477== Invalid write of size 8 ==17477== at 0x707920: JSScript::JITScriptHandle::setValid(js::mjit::JITScript*) (jsscript.h:376) ==17477== by 0x71D614: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:948) ==17477== by 0x50E14C: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1555) ==17477== by 0x508E18: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:266) ==17477== by 0x509A89: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:466) ==17477== by 0x509D08: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:508) ==17477== by 0x448CB9: JS_ExecuteScript (jsapi.cpp:5335) ==17477== by 0x4084CB: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:445) ==17477== by 0x41376E: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4754) ==17477== by 0x4139D1: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4837) ==17477== by 0x414112: main (js.cpp:5041) ==17477== Address 0x5f0b7f0 is 0 bytes inside a block of size 32 free'd ==17477== at 0x4C282ED: free (vg_replace_malloc.c:366) ==17477== by 0x403BBE: js_free (Utility.h:169) ==17477== by 0x403BF8: js::Foreground::free_(void*) (Utility.h:588) ==17477== by 0x419945: JSRuntime::free_(void*) (jscntxt.h:834) ==17477== by 0x426410: js::FreeOp::free_(void*) (jscntxt.h:1004) ==17477== by 0x48DCDD: void js::FreeOp::delete_<JSScript::JITScriptSet>(JSScript::JITScriptSet*) (in /srv/repos/mozilla-central/js/src/debug64/shell/js) ==17477== by 0x48A80E: JSScript::destroyJITInfo(js::FreeOp*) (jsscriptinlines.h:229) ==17477== by 0x48A217: js::mjit::ReleaseScriptCode(js::FreeOp*, JSScript*) (MethodJIT.h:886) ==17477== by 0x48C8BE: JSCompartment::discardJitCode(js::FreeOp*) (jscompartment.cpp:437) ==17477== by 0x48CA60: JSCompartment::sweep(js::FreeOp*, bool) (jscompartment.cpp:470) ==17477== by 0x4C5E19: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3260) ==17477== by 0x4C75DE: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3706) While GDB shows: Program received signal SIGSEGV, Segmentation fault. malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161 5161 malloc.c: No such file or directory. in malloc.c (gdb) bt #0 malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161 #1 0x00007ffff6efe472 in _int_malloc (av=0x7ffff72141c0, bytes=28784) at malloc.c:4373 #2 0x00007ffff6f027b4 in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4065 #3 0x0000000000482634 in js_calloc (bytes=28784) at ./dist/include/js/Utility.h:158 #4 0x00000000004826c4 in js::OffTheBooks::calloc_ (bytes=28784) at ./dist/include/js/Utility.h:572 #5 0x000000000075a4a0 in js::mjit::FrameState::pushActiveFrame (this=0x7fffffff8b70, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/FrameState.cpp:65 #6 0x000000000071b03c in js::mjit::Compiler::pushActiveFrame (this=0x7fffffff8440, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:423 #7 0x000000000071b4f6 in js::mjit::Compiler::performCompilation (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:506 #8 0x000000000071a1e4 in js::mjit::Compiler::compile (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:112 #9 0x000000000071d760 in js::mjit::CanMethodJIT (cx=0xc08c20, script=0x7ffff6107790, pc=0xc1e32d "m", <incomplete sequence \326>, construct=false, request=js::mjit::CompileRequest_Interpreter) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:975 In opt-builds I've seen glibc aborts which are likely due to the same issue. Assuming s-s and sec-critical due to memory corruption.
Assignee | ||
Comment 1•12 years ago
|
||
The array of JITScripts now attached to scripts could be freed by a GC under MakeJITScript. We were already watching for the GC, just not at an early enough point. Regression from bug 758613 so only Fx 15 is affected.
Assignee: general → bhackett1024
Attachment #629551 -
Flags: review?(dvander)
Reporter | ||
Comment 2•12 years ago
|
||
Saw this in the fuzzer also crashing [@ js::ShapeTable::search], linking for crashstats.
Crash Signature: [@ malloc_consolidate] → [@ malloc_consolidate]
[@ js::ShapeTable::search]
Updated•12 years ago
|
status-firefox15:
--- → affected
Updated•12 years ago
|
Attachment #629551 -
Flags: review?(dvander) → review+
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0a4ce45a4d40
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 5•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ malloc_consolidate]
[@ js::ShapeTable::search] → [@ malloc_consolidate]
[@ js::ShapeTable::search]
Updated•12 years ago
|
Crash Signature: [@ malloc_consolidate]
[@ js::ShapeTable::search] → [@ malloc_consolidate]
[@ js::ShapeTable::search]
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox16:
--- → fixed
tracking-firefox-esr10:
--- → 14+
tracking-firefox14:
--- → +
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
Assignee | ||
Updated•12 years ago
|
Assignee | ||
Comment 6•12 years ago
|
||
Comment on attachment 629551 [details] [diff] [review] patch This just missed the last cutoff it looks like, needs Aurora uplift but doesn't affect Beta.
Attachment #629551 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #629551 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/90c5403757a7
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: js-triage-needed → js-triage-needed [advisory-tracking-]
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Blocks: 758613
Keywords: csec-uaf,
regression
Reporter | ||
Comment 8•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•