759719 - Crash [@ malloc_consolidate] or Glibc abort with memory corruption, related to invalid access in JSScript::JITScriptHandle::setValid

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

Attachment: Test case for shell (run with -n -m)

The attached test crashes on mozilla-central revision e8a025a7101b (options -m -n).


Valgrind on debug shows:

==17477== Invalid write of size 8
==17477==    at 0x707920: JSScript::JITScriptHandle::setValid(js::mjit::JITScript*) (jsscript.h:376)
==17477==    by 0x71D614: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:948)
==17477==    by 0x50E14C: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1555)
==17477==    by 0x508E18: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:266)
==17477==    by 0x509A89: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:466)
==17477==    by 0x509D08: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:508)
==17477==    by 0x448CB9: JS_ExecuteScript (jsapi.cpp:5335)
==17477==    by 0x4084CB: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:445)
==17477==    by 0x41376E: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4754)
==17477==    by 0x4139D1: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4837)
==17477==    by 0x414112: main (js.cpp:5041)
==17477==  Address 0x5f0b7f0 is 0 bytes inside a block of size 32 free'd
==17477==    at 0x4C282ED: free (vg_replace_malloc.c:366)
==17477==    by 0x403BBE: js_free (Utility.h:169)
==17477==    by 0x403BF8: js::Foreground::free_(void*) (Utility.h:588)
==17477==    by 0x419945: JSRuntime::free_(void*) (jscntxt.h:834)
==17477==    by 0x426410: js::FreeOp::free_(void*) (jscntxt.h:1004)
==17477==    by 0x48DCDD: void js::FreeOp::delete_<JSScript::JITScriptSet>(JSScript::JITScriptSet*) (in /srv/repos/mozilla-central/js/src/debug64/shell/js)
==17477==    by 0x48A80E: JSScript::destroyJITInfo(js::FreeOp*) (jsscriptinlines.h:229)
==17477==    by 0x48A217: js::mjit::ReleaseScriptCode(js::FreeOp*, JSScript*) (MethodJIT.h:886)
==17477==    by 0x48C8BE: JSCompartment::discardJitCode(js::FreeOp*) (jscompartment.cpp:437)
==17477==    by 0x48CA60: JSCompartment::sweep(js::FreeOp*, bool) (jscompartment.cpp:470)
==17477==    by 0x4C5E19: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3260)
==17477==    by 0x4C75DE: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3706)

While GDB shows:

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
5161    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
#1  0x00007ffff6efe472 in _int_malloc (av=0x7ffff72141c0, bytes=28784) at malloc.c:4373
#2  0x00007ffff6f027b4 in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4065
#3  0x0000000000482634 in js_calloc (bytes=28784) at ./dist/include/js/Utility.h:158
#4  0x00000000004826c4 in js::OffTheBooks::calloc_ (bytes=28784) at ./dist/include/js/Utility.h:572
#5  0x000000000075a4a0 in js::mjit::FrameState::pushActiveFrame (this=0x7fffffff8b70, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/FrameState.cpp:65
#6  0x000000000071b03c in js::mjit::Compiler::pushActiveFrame (this=0x7fffffff8440, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:423
#7  0x000000000071b4f6 in js::mjit::Compiler::performCompilation (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:506
#8  0x000000000071a1e4 in js::mjit::Compiler::compile (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:112
#9  0x000000000071d760 in js::mjit::CanMethodJIT (cx=0xc08c20, script=0x7ffff6107790, pc=0xc1e32d "m", <incomplete sequence \326>, construct=false, request=js::mjit::CompileRequest_Interpreter)
    at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:975


In opt-builds I've seen glibc aborts which are likely due to the same issue. Assuming s-s and sec-critical due to memory corruption.

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

The array of JITScripts now attached to scripts could be freed by a GC under MakeJITScript.  We were already watching for the GC, just not at an early enough point.  Regression from bug 758613 so only Fx 15 is affected.

Comment 2

[Christian Holler (:decoder)]

Saw this in the fuzzer also crashing [@ js::ShapeTable::search], linking for crashstats.

Comment 4

[neil@parkwaycc.co.uk]

https://hg.mozilla.org/mozilla-central/rev/0a4ce45a4d40

Comment 5

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.

Comment 6

[Brian Hackett [Laid off!]]

Comment on attachment 629551 [details] [diff] [review]
patch

This just missed the last cutoff it looks like, needs Aurora uplift but doesn't affect Beta.

Comment 7

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/90c5403757a7

Comment 8

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929