Last Comment Bug 1000145 - ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM
: ASan heap-use-after-free crash [@ js::types::ConstraintTypeSet::sweep] with OOM
: crash, csectype-uaf, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla31
Assigned To: Brian Hackett (:bhackett)
: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928 988619
  Show dependency treegraph
Reported: 2014-04-23 06:32 PDT by Christian Holler (:decoder)
Modified: 2015-08-30 12:11 PDT (History)
12 users (show)
cbook: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (911 bytes, patch)
2014-04-23 11:48 PDT, Brian Hackett (:bhackett)
jdemooij: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2014-04-23 06:32:23 PDT
The following testcase crashes on mozilla-central revision 1ab07aa4d004 (run with --fuzzing-safe):

function generate_big_object_graph() {
  var root = {};
  f(root, 17);
  function f(parent, depth) {
    if (depth == 0)
    f(parent.a = {}, depth);
    f(parent.b = {}, depth);
function outer() { 
  var x = arguments; 
  return function inner() { return x }; 
var f = outer(generate_big_object_graph());
Comment 1 User image Christian Holler (:decoder) 2014-04-23 06:40:43 PDT
Crash trace:

==53875==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500001bca8 at pc 0xf8eb0b bp 0x7fff7ac5b570 sp 0x7fff7ac5b568
READ of size 8 at 0x62500001bca8 thread T0
    #0 0xf8eb0a in js::types::ConstraintTypeSet::sweep(JS::Zone*, bool*) js/src/jsinfer.cpp:4019
    #1 0xde68e7 in js::types::TypeScript::Sweep(js::FreeOp*, JSScript*, bool*) js/src/jsinfer.cpp:4244
    #2 0xde68e7 in js::types::TypeZone::sweep(js::FreeOp*, bool, bool*) js/src/jsinfer.cpp:4352
    #3 0x6ad5b7 in JS::Zone::sweep(js::FreeOp*, bool, bool*) js/src/gc/Zone.cpp:119
    #4 0xf7658d in BeginSweepingZoneGroup(JSRuntime*) js/src/jsgc.cpp:3976
    #5 0xf701b8 in BeginSweepPhase(JSRuntime*, bool) js/src/jsgc.cpp:4080
    #6 0xf701b8 in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) js/src/jsgc.cpp:4686
    #7 0xf69a2b in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4822
    #8 0xdb416f in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:4955
    #9 0xccbed6 in js::DestroyContext(JSContext*, js::DestroyContextMode) js/src/jscntxt.cpp:264

0x62500001bca8 is located 936 bytes inside of 8192-byte region [0x62500001b900,0x62500001d900)
freed by thread T1 (JS GC Helper) here:
    #0 0x460bff in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/
    #1 0x5d44e4 in js_free(void*) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:128
    #2 0x5d44e4 in js::detail::BumpChunk::delete_(js::detail::BumpChunk*) js/src/ds/LifoAlloc.cpp:45
    #3 0x5d44e4 in js::LifoAlloc::freeAll() js/src/ds/LifoAlloc.cpp:66
    #4 0xdb04d3 in js::GCHelperThread::doSweep() js/src/jsgc.cpp:2731
    #5 0xdafa64 in js::GCHelperThread::threadLoop() js/src/jsgc.cpp:2558

previously allocated by thread T0 here:
    #0 0x460e37 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/
    #1 0x5d47b3 in js_malloc(unsigned long) js/src/opt64asan-oom/js/src/../../dist/include/js/Utility.h:105
    #2 0x5d47b3 in js::detail::BumpChunk::new_(unsigned long) js/src/ds/LifoAlloc.cpp:23
    #3 0x5d47b3 in js::LifoAlloc::getOrCreateChunk(unsigned long) js/src/ds/LifoAlloc.cpp:105
    #4 0x926ca1 in js::LifoAlloc::alloc(unsigned long) js/src/ds/LifoAlloc.h:263
    #5 0x926ca1 in js::ExclusiveContext::typeLifoAlloc() js/src/ds/LifoAlloc.h:387
    #6 0x926ca1 in js::types::TypeObject::getProperty(js::ExclusiveContext*, jsid) js/src/jsinferinlines.h:1247
    #7 0xdd6294 in InlineAddTypeProperty(js::ExclusiveContext*, js::types::TypeObject*, jsid, js::types::Type) js/src/jsinfer.cpp:2844:26
    #8 0xe39b4c in js::ThreadSafeContext::asExclusiveContext() const js/src/jsobjinlines.h:612:5
    #9 0xe39b4c in _ZL23UpdateShapeTypeAndValueILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEP8JSObjectPNS0_5ShapeERKN2JS5ValueE js/src/jsobj.cpp:3656
    #10 0xe39084 in _ZL23DefinePropertyOrElementILN2js13ExecutionModeE0EEbNS0_19ExecutionModeTraitsIXT_EE20ExclusiveContextTypeEN2JS6HandleIP8JSObjectEENS6_I4jsidEEPFbP9JSContextS9_SB_NS5_13MutableHandleINS5_5ValueEEEEPFbSD_S9_SB_bSG_EjjNS6_ISF_EEbb js/src/jsobj.cpp:3756
    #11 0xf9cc42 in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5103:16
    #12 0x10cefb6 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.h:1020
    #13 0x10cefb6 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:339

This looks very much like the thing we saw in pwn2own, marking s-s and sec-critical based on that. Jan pointed out that this might have been regressed by bug 988619. Needinfo on Brian based on that :)
Comment 2 User image Brian Hackett (:bhackett) 2014-04-23 11:48:33 PDT
Created attachment 8411227 [details] [diff] [review]

Yes, this was regressed by bug 988619 (man, I suck at writing this OOM handling code).
Comment 3 User image Brian Hackett (:bhackett) 2014-04-24 08:04:36 PDT
Comment 4 User image Liz Henry (:lizzard) (needinfo? me) 2014-04-24 10:50:01 PDT
*** Bug 1000996 has been marked as a duplicate of this bug. ***
Comment 5 User image Daniel Veditz [:dveditz] 2014-04-24 10:59:35 PDT
It looks like we want bug 988619 on Aurora, which means we'll want this one too.
Comment 6 User image Carsten Book [:Tomcat] 2014-04-25 04:29:00 PDT
Comment 7 User image Ryan VanderMeulen [:RyanVM] 2014-04-25 12:53:37 PDT
Bug 988619 was pushed to Aurora with this fix rolled in.
Comment 8 User image Matt Wobensmith [:mwobensmith][:matt:] 2014-06-04 12:53:17 PDT
Confirmed crash on 2014-04-04, Fx30.
Verified fixed on 2014-06-04, Fx30 and Fx31.

Note You need to log in before you can comment on or make changes to this bug.