1122199 - Crash [@ JSScript::code]

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision c1f6345f2803 (build with --enable-gczeal --enable-optimize="-O2 -g" --enable-address-sanitizer --enable-posix-nspr-emulation --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking --ion-offthread-compile=off --ion-eager):

function compareIAndSet(v) {}
function compareIAndBranch(v) {
    var res = 0;
    var c = 1;
    var i = 0;
    function objectType ( e )  {
            var v2 = c.apply(this, arguments);
        }  
    i++;
    if (v >= 2)
        res |= (c << i);
    if (v <  3)
    if (v <= 4)
        res |= (c << i);
    if (v == 5)
        res |= (c << i);
        res |= (c << i);
    return res;
}
var expected = [
  compareIAndBranch(4),
  compareIAndBranch(5),
];



Backtrace:

==1911==ERROR: AddressSanitizer: SEGV on unknown address 0x02007f95dff7 (pc 0x000000bf048c sp 0x7fffe597cb00 bp 0x7fffe597cb10 T0)
    #0 0xbf048b in JSScript::code() const js/src/jsscript.h:1056
    #1 0xbf048b in js::jit::BaselineFrame::script() const js/src/jsscript.h:1078
    #2 0xbf048b in js::jit::BaselineFrame::overridePc() const js/src/jit/BaselineFrame.h:352
    #3 0xbf048b in js::jit::JitFrameIterator::baselineFrame() const js/src/jit/BaselineFrame.h:357
    #4 0xbf048b in js::jit::JitFrameIterator::baselineScriptAndPc(JSScript**, unsigned char**) const js/src/jit/JitFrames.cpp:221
    #5 0xbfa5b6 in js::jit::GetPcScript(JSContext*, JSScript**, unsigned char**) js/src/jit/JitFrames.cpp:1506
    #6 0xf2670b in JSContext::currentScript(unsigned char**, JSContext::MaybeAllowCrossCompartment) const js/src/jscntxtinlines.h:462
    #7 0xf2670b in JSContext::findVersion() const js/src/jscntxt.cpp:1201
    #8 0xf4c582 in JS::CompileOptions::CompileOptions(JSContext*, JSVersion) js/src/jsapi.cpp:4003
    #9 0x1112806 in js::CloneScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::Handle<JSScript*>, js::NewObjectKind) js/src/jsscript.cpp:3080
    #10 0x1117202 in js::CloneFunctionScript(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSFunction*>, js::NewObjectKind) js/src/jsscript.cpp:3177
    #11 0xf695a1 in js::CloneFunctionObject(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::gc::AllocKind, js::NewObjectKind) js/src/jsfun.cpp:2097
    #12 0x13ae2b0 in js::CloneFunctionObjectIfNotSingleton(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, js::NewObjectKind) js/src/jsfuninlines.h:85
    #13 0x136c3ca in js::Lambda(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>) js/src/vm/Interpreter.cpp:3645:28
    #14 0xdb3fbe in js::jit::RLambda::recover(JSContext*, js::jit::SnapshotIterator&) const js/src/jit/Recover.cpp:1239
    #15 0xbfe5bc in js::jit::SnapshotIterator::computeInstructionResults(JSContext*, js::jit::RInstructionResults*) const js/src/jit/JitFrames.cpp:2082
    #16 0xbfd4ae in js::jit::SnapshotIterator::initInstructionResults(js::jit::MaybeReadFallback&) js/src/jit/JitFrames.cpp:2036
    #17 0x859ac8 in SnapshotIteratorForBailout::init(JSContext*) js/src/jit/BaselineBailouts.cpp:419
    #18 0x859ac8 in js::jit::BailoutIonToBaseline(JSContext*, js::jit::JitActivation*, js::jit::JitFrameIterator&, bool, js::jit::BaselineBailoutInfo**, js::jit::ExceptionBailoutInfo const*, bool*) js/src/jit/BaselineBailouts.cpp:1465
    #19 0x858edb in js::jit::Bailout(js::jit::BailoutStack*, js::jit::BaselineBailoutInfo**) js/src/jit/Bailouts.cpp:53

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV js/src/jsscript.h:1056 JSScript::code() const
==1911==ABORTING
ASAN:SIGSEGV
=================================================================


The crash only occurs in ASan for me, and it is intermittent. I guess there is some form of memory corruption going on somewhere and it just coincidentally doesn't crash on the normal builds. Marking s-s because the crash address looks unhealthy.

Comment 1

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/7584b643e7e9
user:        Shu-yu Guo
date:        Wed Jan 07 01:18:42 2015 -0800
summary:     Bug 1118038 - Remove JIT parts of PJS. (r=lth)

This iteration took 280.375 seconds to run.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision cc1cfd6f4ca8).

Comment 3

[Nicolas B. Pierron [:nbp]]

I have no idea why the removal of PJS would be faulty here, this looks more like the ASan version of Bug 1118911.

Comment 4

[Christian Holler (:decoder)]

The bisection is probably wrong because the bug was reproducing intermittently. But now it doesn't reproduce anymore at all, so it might be fixed by bug 1118911. Would that mean that bug 1118911 is a security bug?

Comment 5

[Nicolas B. Pierron [:nbp]]

(In reply to Christian Holler (:decoder) from comment #4)
> The bisection is probably wrong because the bug was reproducing
> intermittently. But now it doesn't reproduce anymore at all, so it might be
> fixed by bug 1118911. Would that mean that bug 1118911 is a security bug?

Yes, it was taking a path which was unexpected and doing pointer arith with potentially unitialized value, but the context under which the function is called only looked for information which remained correct.  So I do no expect it to be exploitable, nor to be useful in in making any exploit.  But to be safe, we should backport at least to 37, and to be even safer, to 36.

Comment 6

[Christian Holler (:decoder)]

Opening up after discussing with nbp that this is not exploitable.

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Bug 1118911 got backported till 36, fwiw.

Assuming fixed by bug 1118911.