Closed
Bug 1000145
Opened 10 years ago
Closed 10 years ago
ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox29 | --- | unaffected |
firefox30 | --- | verified |
firefox31 | --- | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.4 | --- | fixed |
b2g-v2.0 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
911 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1ab07aa4d004 (run with --fuzzing-safe): function generate_big_object_graph() { var root = {}; f(root, 17); function f(parent, depth) { if (depth == 0) return; --depth; f(parent.a = {}, depth); f(parent.b = {}, depth); } } function outer() { var x = arguments; return function inner() { return x }; } var f = outer(generate_big_object_graph()); oomAfterAllocations(100); gc();
Reporter | ||
Comment 1•10 years ago
|
||
Crash trace: ==53875==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500001bca8 at pc 0xf8eb0b bp 0x7fff7ac5b570 sp 0x7fff7ac5b568 READ of size 8 at 0x62500001bca8 thread T0 #0 0xf8eb0a in js::types::ConstraintTypeSet::sweep(JS::Zone*, bool*) js/src/jsinfer.cpp:4019 #1 0xde68e7 in js::types::TypeScript::Sweep(js::FreeOp*, JSScript*, bool*) js/src/jsinfer.cpp:4244 #2 0xde68e7 in js::types::TypeZone::sweep(js::FreeOp*, bool, bool*) js/src/jsinfer.cpp:4352 #3 0x6ad5b7 in JS::Zone::sweep(js::FreeOp*, bool, bool*) js/src/gc/Zone.cpp:119 #4 0xf7658d in BeginSweepingZoneGroup(JSRuntime*) js/src/jsgc.cpp:3976 #5 0xf701b8 in BeginSweepPhase(JSRuntime*, bool) js/src/jsgc.cpp:4080 #6 0xf701b8 in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) js/src/jsgc.cpp:4686 #7 0xf69a2b in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4822 #8 0xdb416f in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4955 #9 0xccbed6 in js::DestroyContext(JSContext*, js::DestroyContextMode) js/src/jscntxt.cpp:264 [...] 0x62500001bca8 is located 936 bytes inside of 8192-byte region [0x62500001b900,0x62500001d900) freed by thread T1 (JS GC Helper) here: #0 0x460bff in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x5d44e4 in js_free(void*) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:128 #2 0x5d44e4 in js::detail::BumpChunk::delete_(js::detail::BumpChunk*) js/src/ds/LifoAlloc.cpp:45 #3 0x5d44e4 in js::LifoAlloc::freeAll() js/src/ds/LifoAlloc.cpp:66 #4 0xdb04d3 in js::GCHelperThread::doSweep() js/src/jsgc.cpp:2731 #5 0xdafa64 in js::GCHelperThread::threadLoop() js/src/jsgc.cpp:2558 [...] previously allocated by thread T0 here: #0 0x460e37 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x5d47b3 in js_malloc(unsigned long) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:105 #2 0x5d47b3 in js::detail::BumpChunk::new_(unsigned long) js/src/ds/LifoAlloc.cpp:23 #3 0x5d47b3 in js::LifoAlloc::getOrCreateChunk(unsigned long) js/src/ds/LifoAlloc.cpp:105 #4 0x926ca1 in js::LifoAlloc::alloc(unsigned long) js/src/ds/LifoAlloc.h:263 #5 0x926ca1 in js::ExclusiveContext::typeLifoAlloc() js/src/ds/LifoAlloc.h:387 #6 0x926ca1 in js::types::TypeObject::getProperty(js::ExclusiveContext*, jsid) js/src/jsinferinlines.h:1247 #7 0xdd6294 in InlineAddTypeProperty(js::ExclusiveContext*, js::types::TypeObject*, jsid, js::types::Type) js/src/jsinfer.cpp:2844:26 #8 0xe39b4c in js::ThreadSafeContext::asExclusiveContext() const js/src/jsobjinlines.h:612:5 #9 0xe39b4c in _ZL23UpdateShapeTypeAndValueILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEP8JSObjectPNS0_5ShapeERKN2JS5ValueE js/src/jsobj.cpp:3656 #10 0xe39084 in _ZL23DefinePropertyOrElementILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEN2JS6HandleIP8JSObjectEENS6_I4jsidEEPFbP9JSContextS9_SB_NS5_13MutableHandleINS5_5ValueEEEEPFbSD_S9_SB_bSG_EjjNS6_ISF_EEbb js/src/jsobj.cpp:3756 #11 0xf9cc42 in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5103:16 #12 0x10cefb6 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.h:1020 #13 0x10cefb6 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:339 [...] This looks very much like the thing we saw in pwn2own, marking s-s and sec-critical based on that. Jan pointed out that this might have been regressed by bug 988619. Needinfo on Brian based on that :)
status-firefox31:
--- → affected
Flags: needinfo?(bhackett1024)
Keywords: csectype-uaf,
sec-critical
Whiteboard: [jsbugmon:update,bisect]
Assignee | ||
Comment 2•10 years ago
|
||
Yes, this was regressed by bug 988619 (man, I suck at writing this OOM handling code).
Assignee: general → bhackett1024
Attachment #8411227 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Updated•10 years ago
|
Keywords: regression
Updated•10 years ago
|
status-firefox30:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•10 years ago
|
Attachment #8411227 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/496007a2b3ae
Comment 5•10 years ago
|
||
It looks like we want bug 988619 on Aurora, which means we'll want this one too.
status-firefox29:
--- → unaffected
Updated•10 years ago
|
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/496007a2b3ae
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Comment 7•10 years ago
|
||
Bug 988619 was pushed to Aurora with this fix rolled in.
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
Comment 8•10 years ago
|
||
Confirmed crash on 2014-04-04, Fx30. Verified fixed on 2014-06-04, Fx30 and Fx31.
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•