Closed
Bug 1128490
Opened 10 years ago
Closed 10 years ago
Crash [@ compartment] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | unaffected |
| firefox37 | --- | unaffected |
| firefox38 | + | verified |
| firefox39 | --- | verified |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(5 keywords, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
5.70 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 940118b1adcd (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-regalloc=backtracking):
for (var i = 0; i < 1000; ++i)
(function() {
var isNotEmpty = function (obj) {
for (var foo = 0 ; i < arguments.length; (function ( ) { } ) [ 0 ] ++) {
var o = arguments[i];
}
};
isNotEmpty([1]);
})();
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
compartment (this=0x7ffff57000e0) at js/src/jit/shared/MoveEmitter-x86-shared.cpp:510
510 }
#0 compartment (this=0x7ffff57000e0) at js/src/jit/shared/MoveEmitter-x86-shared.cpp:510
#1 js::jit::AssertValidObjectPtr (cx=0x1a1cb70, obj=0x7ffff57000e0) at js/src/jit/VMFunctions.cpp:1177
#2 0x00007ffff55f2415 in ?? ()
#3 0x00007fffffffc560 in ?? ()
#4 0x00007fffffffc4f0 in ?? ()
#5 0xfffc7ffff57000e0 in ?? ()
#6 0x7ff8000000000000 in ?? ()
#7 0x3ff0000000000000 in ?? ()
#8 0x0000000000000000 in ?? ()
rax 0x2b2b2b2b2b2b2b2b 3110627432037296939
rbx 0x7ffff57000e0 140737311146208
rcx 0xfffbffffffffffff -1125899906842625
rdx 0x0 0
rsi 0x7ffff57000e0 140737311146208
rdi 0x1a1cb70 27380592
rbp 0x7fffffffc4d0 140737488340176
rsp 0x7fffffffc4b0 140737488340144
r8 0x7ff8000000000000 9221120237041090560
r9 0x7ffff5700000 140737311145984
r10 0x7fffffffc1c0 140737488339392
r11 0x7fffffffc380 140737488339840
r12 0x1a1cb70 27380592
r13 0x1a908d8 27855064
r14 0x7ffff575f100 140737311535360
r15 0x0 0
rip 0x978baa <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+42>
=> 0x978baa <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+42>: mov (%rax),%rax
0x978bad <js::jit::AssertValidObjectPtr(JSContext*, JSObject*)+45>: mov (%rdi),%rdi
This is likely a use-after-free according to the crash pattern (GGC nursery poison pattern).
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/629c8aac3ece
user: Brian Hackett
date: Fri Jan 23 12:42:34 2015 -0700
summary: Bug 934502 - Remove unnecessary pushedArgumentSlots, track argument slots explicitly in safepoints, r=jandem.
This iteration took 307.626 seconds to run.
|
||
Updated•10 years ago
|
|
|
||
Updated•10 years ago
|
Group: javascript-core-security
|
||
Updated•10 years ago
|
status-firefox37:
--- → unaffected
status-firefox-esr31:
--- → unaffected
tracking-firefox38:
--- → +
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 2•10 years ago
|
||
If a frame uses lazy arguments then its formals are not marked as aliased (like I thought) and but Ion uses special instructions to access the frame arguments directly. In this case marking the Ion frame needs to mark the formals as well as the actuals, and we need to be sure that the backtracking allocator doesn't spill other vregs to argument slots.
Flags: needinfo?(bhackett1024)
Attachment #8562186 -
Flags: review?(jdemooij)
|
||
Updated•10 years ago
|
Attachment #8562186 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/6f42cfe37f5c for spidermonkey errors:
https://treeherder.mozilla.org/logviewer.html#?job_id=6476130&repo=mozilla-inbound
Flags: needinfo?(bhackett1024)
Looks like some xpcshell failures, too: https://treeherder.mozilla.org/logviewer.html#?job_id=6478295&repo=mozilla-inbound
|
|
Assignee | |
Comment 6•10 years ago
|
||
Whoops, the script for a MIR graph can be null of course.
https://hg.mozilla.org/integration/mozilla-inbound/rev/141b3ae089e9
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(bhackett1024)
|
||
Comment 7•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox36:
--- → unaffected
|
|
||
Updated•10 years ago
|
Group: javascript-core-security
|
|
||
Updated•10 years ago
|
Group: core-security
|
|
Reporter | |
Updated•10 years ago
|
|
|
Reporter | |
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx38
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•