1000145 - ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 1ab07aa4d004 (run with --fuzzing-safe):


function generate_big_object_graph() {
  var root = {};
  f(root, 17);
  function f(parent, depth) {
    if (depth == 0)
      return;
    --depth;
    f(parent.a = {}, depth);
    f(parent.b = {}, depth);
  }
}
function outer() { 
  var x = arguments; 
  return function inner() { return x }; 
}
var f = outer(generate_big_object_graph());
oomAfterAllocations(100);
gc();

Comment 1

[Christian Holler (:decoder)]

Crash trace:


==53875==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500001bca8 at pc 0xf8eb0b bp 0x7fff7ac5b570 sp 0x7fff7ac5b568
READ of size 8 at 0x62500001bca8 thread T0
    #0 0xf8eb0a in js::types::ConstraintTypeSet::sweep(JS::Zone*, bool*) js/src/jsinfer.cpp:4019
    #1 0xde68e7 in js::types::TypeScript::Sweep(js::FreeOp*, JSScript*, bool*) js/src/jsinfer.cpp:4244
    #2 0xde68e7 in js::types::TypeZone::sweep(js::FreeOp*, bool, bool*) js/src/jsinfer.cpp:4352
    #3 0x6ad5b7 in JS::Zone::sweep(js::FreeOp*, bool, bool*) js/src/gc/Zone.cpp:119
    #4 0xf7658d in BeginSweepingZoneGroup(JSRuntime*) js/src/jsgc.cpp:3976
    #5 0xf701b8 in BeginSweepPhase(JSRuntime*, bool) js/src/jsgc.cpp:4080
    #6 0xf701b8 in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) js/src/jsgc.cpp:4686
    #7 0xf69a2b in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4822
    #8 0xdb416f in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4955
    #9 0xccbed6 in js::DestroyContext(JSContext*, js::DestroyContextMode) js/src/jscntxt.cpp:264
    [...]

0x62500001bca8 is located 936 bytes inside of 8192-byte region [0x62500001b900,0x62500001d900)
freed by thread T1 (JS GC Helper) here:
    #0 0x460bff in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x5d44e4 in js_free(void*) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:128
    #2 0x5d44e4 in js::detail::BumpChunk::delete_(js::detail::BumpChunk*) js/src/ds/LifoAlloc.cpp:45
    #3 0x5d44e4 in js::LifoAlloc::freeAll() js/src/ds/LifoAlloc.cpp:66
    #4 0xdb04d3 in js::GCHelperThread::doSweep() js/src/jsgc.cpp:2731
    #5 0xdafa64 in js::GCHelperThread::threadLoop() js/src/jsgc.cpp:2558
    [...]

previously allocated by thread T0 here:
    #0 0x460e37 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x5d47b3 in js_malloc(unsigned long) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:105
    #2 0x5d47b3 in js::detail::BumpChunk::new_(unsigned long) js/src/ds/LifoAlloc.cpp:23
    #3 0x5d47b3 in js::LifoAlloc::getOrCreateChunk(unsigned long) js/src/ds/LifoAlloc.cpp:105
    #4 0x926ca1 in js::LifoAlloc::alloc(unsigned long) js/src/ds/LifoAlloc.h:263
    #5 0x926ca1 in js::ExclusiveContext::typeLifoAlloc() js/src/ds/LifoAlloc.h:387
    #6 0x926ca1 in js::types::TypeObject::getProperty(js::ExclusiveContext*, jsid) js/src/jsinferinlines.h:1247
    #7 0xdd6294 in InlineAddTypeProperty(js::ExclusiveContext*, js::types::TypeObject*, jsid, js::types::Type) js/src/jsinfer.cpp:2844:26
    #8 0xe39b4c in js::ThreadSafeContext::asExclusiveContext() const js/src/jsobjinlines.h:612:5
    #9 0xe39b4c in _ZL23UpdateShapeTypeAndValueILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEP8JSObjectPNS0_5ShapeERKN2JS5ValueE js/src/jsobj.cpp:3656
    #10 0xe39084 in _ZL23DefinePropertyOrElementILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEN2JS6HandleIP8JSObjectEENS6_I4jsidEEPFbP9JSContextS9_SB_NS5_13MutableHandleINS5_5ValueEEEEPFbSD_S9_SB_bSG_EjjNS6_ISF_EEbb js/src/jsobj.cpp:3756
    #11 0xf9cc42 in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5103:16
    #12 0x10cefb6 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.h:1020
    #13 0x10cefb6 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:339
    [...]


This looks very much like the thing we saw in pwn2own, marking s-s and sec-critical based on that. Jan pointed out that this might have been regressed by bug 988619. Needinfo on Brian based on that :)

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

Yes, this was regressed by bug 988619 (man, I suck at writing this OOM handling code).

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/496007a2b3ae

Comment 5

[Daniel Veditz [:dveditz]]

It looks like we want bug 988619 on Aurora, which means we'll want this one too.

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/496007a2b3ae

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Bug 988619 was pushed to Aurora with this fix rolled in.

Comment 8

[Matt Wobensmith [:mwobensmith][:matt:]]

Confirmed crash on 2014-04-04, Fx30.
Verified fixed on 2014-06-04, Fx30 and Fx31.