Closed Bug 1000145 Opened 6 years ago Closed 6 years ago

ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox29 --- unaffected
firefox30 --- verified
firefox31 --- verified
firefox-esr24 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed


(Reporter: decoder, Assigned: bhackett)


(Blocks 2 open bugs)


(5 keywords, Whiteboard: [jsbugmon:update,bisect])

Crash Data


(1 file)

The following testcase crashes on mozilla-central revision 1ab07aa4d004 (run with --fuzzing-safe):

function generate_big_object_graph() {
  var root = {};
  f(root, 17);
  function f(parent, depth) {
    if (depth == 0)
    f(parent.a = {}, depth);
    f(parent.b = {}, depth);
function outer() { 
  var x = arguments; 
  return function inner() { return x }; 
var f = outer(generate_big_object_graph());
Crash trace:

==53875==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500001bca8 at pc 0xf8eb0b bp 0x7fff7ac5b570 sp 0x7fff7ac5b568
READ of size 8 at 0x62500001bca8 thread T0
    #0 0xf8eb0a in js::types::ConstraintTypeSet::sweep(JS::Zone*, bool*) js/src/jsinfer.cpp:4019
    #1 0xde68e7 in js::types::TypeScript::Sweep(js::FreeOp*, JSScript*, bool*) js/src/jsinfer.cpp:4244
    #2 0xde68e7 in js::types::TypeZone::sweep(js::FreeOp*, bool, bool*) js/src/jsinfer.cpp:4352
    #3 0x6ad5b7 in JS::Zone::sweep(js::FreeOp*, bool, bool*) js/src/gc/Zone.cpp:119
    #4 0xf7658d in BeginSweepingZoneGroup(JSRuntime*) js/src/jsgc.cpp:3976
    #5 0xf701b8 in BeginSweepPhase(JSRuntime*, bool) js/src/jsgc.cpp:4080
    #6 0xf701b8 in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) js/src/jsgc.cpp:4686
    #7 0xf69a2b in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4822
    #8 0xdb416f in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4955
    #9 0xccbed6 in js::DestroyContext(JSContext*, js::DestroyContextMode) js/src/jscntxt.cpp:264

0x62500001bca8 is located 936 bytes inside of 8192-byte region [0x62500001b900,0x62500001d900)
freed by thread T1 (JS GC Helper) here:
    #0 0x460bff in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/
    #1 0x5d44e4 in js_free(void*) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:128
    #2 0x5d44e4 in js::detail::BumpChunk::delete_(js::detail::BumpChunk*) js/src/ds/LifoAlloc.cpp:45
    #3 0x5d44e4 in js::LifoAlloc::freeAll() js/src/ds/LifoAlloc.cpp:66
    #4 0xdb04d3 in js::GCHelperThread::doSweep() js/src/jsgc.cpp:2731
    #5 0xdafa64 in js::GCHelperThread::threadLoop() js/src/jsgc.cpp:2558

previously allocated by thread T0 here:
    #0 0x460e37 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/
    #1 0x5d47b3 in js_malloc(unsigned long) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:105
    #2 0x5d47b3 in js::detail::BumpChunk::new_(unsigned long) js/src/ds/LifoAlloc.cpp:23
    #3 0x5d47b3 in js::LifoAlloc::getOrCreateChunk(unsigned long) js/src/ds/LifoAlloc.cpp:105
    #4 0x926ca1 in js::LifoAlloc::alloc(unsigned long) js/src/ds/LifoAlloc.h:263
    #5 0x926ca1 in js::ExclusiveContext::typeLifoAlloc() js/src/ds/LifoAlloc.h:387
    #6 0x926ca1 in js::types::TypeObject::getProperty(js::ExclusiveContext*, jsid) js/src/jsinferinlines.h:1247
    #7 0xdd6294 in InlineAddTypeProperty(js::ExclusiveContext*, js::types::TypeObject*, jsid, js::types::Type) js/src/jsinfer.cpp:2844:26
    #8 0xe39b4c in js::ThreadSafeContext::asExclusiveContext() const js/src/jsobjinlines.h:612:5
    #9 0xe39b4c in _ZL23UpdateShapeTypeAndValueILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEP8JSObjectPNS0_5ShapeERKN2JS5ValueE js/src/jsobj.cpp:3656
    #10 0xe39084 in _ZL23DefinePropertyOrElementILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEN2JS6HandleIP8JSObjectEENS6_I4jsidEEPFbP9JSContextS9_SB_NS5_13MutableHandleINS5_5ValueEEEEPFbSD_S9_SB_bSG_EjjNS6_ISF_EEbb js/src/jsobj.cpp:3756
    #11 0xf9cc42 in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5103:16
    #12 0x10cefb6 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.h:1020
    #13 0x10cefb6 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:339

This looks very much like the thing we saw in pwn2own, marking s-s and sec-critical based on that. Jan pointed out that this might have been regressed by bug 988619. Needinfo on Brian based on that :)
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect]
Blocks: 912928
Attached patch patchSplinter Review
Yes, this was regressed by bug 988619 (man, I suck at writing this OOM handling code).
Assignee: general → bhackett1024
Attachment #8411227 - Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
Blocks: 988619
Keywords: regression
Attachment #8411227 - Flags: review?(jdemooij) → review+
Duplicate of this bug: 1000996
It looks like we want bug 988619 on Aurora, which means we'll want this one too.
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Bug 988619 was pushed to Aurora with this fix rolled in.
Confirmed crash on 2014-04-04, Fx30.
Verified fixed on 2014-06-04, Fx30 and Fx31.
Group: core-security
You need to log in before you can comment on or make changes to this bug.