Closed
Bug 1278832
Opened 8 years ago
Closed 8 years ago
Crash [@ js::PreliminaryObjectArray::sweep] and various other signatures through [@ js::ObjectGroup::sweep] with use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | unaffected |
| firefox49 | + | verified |
| firefox-esr45 | --- | unaffected |
| firefox50 | + | verified |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
7.00 KB,
patch
|
terrence
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision ec20b463c04f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads):
function assertThrowsInstanceOf() {}
gczeal(15)
try {
gczeal(10, 2)
} catch (Atomics) {}
for (define of[__defineSetter__]) {
let nonCallable = [{}]
for (let value of nonCallable) assertThrowsInstanceOf(TypeError)
key = {
[Symbol]() {}
}
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::PreliminaryObjectArray::sweep (this=<optimized out>) at js/src/vm/TypeInference.cpp:3408
#0 js::PreliminaryObjectArray::sweep (this=<optimized out>) at js/src/vm/TypeInference.cpp:3408
#1 0x0000000000b61f88 in js::ObjectGroup::sweep (this=this@entry=0x7ffff7e9e0a0, oom=oom@entry=0x7fffffffd050) at js/src/vm/TypeInference.cpp:4215
#2 0x000000000092505b in js::ObjectGroup::maybeSweep (oom=0x7fffffffd050, this=0x7ffff7e9e0a0) at js/src/vm/ObjectGroup-inl.h:26
#3 SweepThing (oom=0x7fffffffd050, group=<optimized out>) at js/src/jsgc.cpp:5261
#4 SweepArenaList<js::ObjectGroup, js::AutoClearTypeInferenceStateOnOOM*> (sliceBudget=..., arenasToSweep=<optimized out>) at js/src/jsgc.cpp:5270
#5 js::gc::GCRuntime::sweepPhase (this=this@entry=0x7ffff6965440, sliceBudget=..., lock=...) at js/src/jsgc.cpp:5315
#6 0x000000000092eefe in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff6965440, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, lock=...) at js/src/jsgc.cpp:5948
#7 0x0000000000930153 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6965440, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6171
#8 0x00000000009306e8 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6965440, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6279
#9 0x0000000000930913 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff6965440, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6339
#10 0x00000000008d76ac in js::DestroyContext (cx=0x7ffff691ac00, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:184
#11 0x000000000048c2cb in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7431
rax 0xfffe4b4b4b4b4b4b -480163195565237
rbx 0x7ffff6937a88 140737330248328
rcx 0xe850 59472
rdx 0x10001 65537
rsi 0x1 1
rdi 0x0 0
rbp 0x7fffffffcf20 140737488342816
rsp 0x7fffffffcef0 140737488342768
r8 0x1f 31
r9 0x7ffff52dc2b8 140737306804920
r10 0x40 64
r11 0x7ffff52014e8 140737305908456
r12 0x1 1
r13 0x7ffff7e74280 140737352516224
r14 0x7ffff6998000 140737330642944
r15 0x7ffff7e9e0a0 140737352687776
rip 0xb52ca1 <js::PreliminaryObjectArray::sweep()+65>
=> 0xb52ca1 <js::PreliminaryObjectArray::sweep()+65>: mov 0x10(%rax),%rdx
0xb52ca5 <js::PreliminaryObjectArray::sweep()+69>: mov 0x50(%rdx),%rdi
This and other crashes with similar signatures all show signs of use-after-free so marking s-s and sec-critical. Also marking as fuzzblocker because the amount of GC-related signatures I'm seeing is exploding.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/69ea294ab4b6 user: Jon Coppeard date: Mon May 16 14:23:09 2016 +0100 summary: Bug 1272604 - Add a zeal mode to check the heap after a moving GC r=terrence This iteration took 0.936 seconds to run.
|
||
Comment 2•8 years ago
|
||
Jon, could you look at this? Thanks. Presumably this is an existing issue that the new zeal mode detected.
Flags: needinfo?(jcoppeard)
|
||
Updated•8 years ago
|
tracking-firefox49:
--- → +
tracking-firefox50:
--- → +
|
Assignee | |
Comment 3•8 years ago
|
||
Oh this is my fault. The way the heap tracing zeal works breaks IsAboutToBeFinalized beause it happens while the heap is in the minor collecting state.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Make sure the heap tracing happens with the heap in the trace state so as not to confuse IsAboutToBeFinalized.
Attachment #8762073 -
Flags: review?(terrence)
|
||
Updated•8 years ago
|
Attachment #8762073 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 6•8 years ago
|
||
Not s-s because it's caused by GC zeal.
Group: javascript-core-security
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/68b7b99fa063 Make sure heap check zeal mode traces the heap outside of a GC r=terrence
|
||
Comment 8•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/68b7b99fa063
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
|
||
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Please also nominate this for mozilla-aurora. It would fix *sweep* crashes when fuzzing on aurora as well.
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 11•8 years ago
|
||
Comment on attachment 8762073 [details] [diff] [review] bug1278832-trace-heap-outside-minor-gc Approval Request Comment [Feature/regressing bug #]: Bug 1272604 [User impact if declined]: None, requested by fuzzers. [Describe test coverage new/current, TreeHerder]: On m-c for last three days. [Risks and why]: Low [String/UUID change made/needed]: None
Flags: needinfo?(jcoppeard)
Attachment #8762073 -
Flags: approval-mozilla-aurora?
|
||
Comment 12•8 years ago
|
||
Comment on attachment 8762073 [details] [diff] [review] bug1278832-trace-heap-outside-minor-gc Crash fix for regression from 49, ok to uplift.
Attachment #8762073 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 13•8 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/c61ac4fc1125
|
|
||
Updated•8 years ago
|
|
|
||
Comment 14•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed on Fx49
|
|
||
Comment 15•8 years ago
|
||
There are still a few reports with this signature on aurora in the last 3 days (after uplift to aurora): https://crash-stats.mozilla.com/signature/?date=%3E2016-07-04&version=49.0a2&signature=js%3A%3APreliminaryObjectArray%3A%3Asweep&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1#reports Is it really fixed? Does this need a followup bug? thanks.
|
|
Assignee | |
Comment 16•8 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #15) Anything showing up on crashstats is a different bug, since this one required gczeal(15) to trigger and that's not present in release builds of Firefox. I guess these should be tracked through bug 1212356.
See Also: → CVE-2016-5255
|
|
||
Updated•8 years ago
|
status-firefox48:
--- → unaffected
status-firefox-esr45:
--- → unaffected
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•