Closed Bug 1282783 Opened 8 years ago Closed 8 years ago

AddressSanitizer: heap-use-after-free [@ void mozilla::PodAssign<unsigned char>] with READ of size 1 with Profiling

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1246680

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:]) 

The following testcase crashes on mozilla-central revision d87b76177b2f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --thread-count=2):

x = true;
function main() {
    for (var i = 0; i < 500000; x.get++, i++)
        eval("for (var j = 0; j < 50; j++) readSPSProfilingStack();");
}
gczeal(2, 10000);
enableSPSProfilingWithSlowAssertions();
main();



Backtrace:

==14183==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004a620 at pc 0x00000172dbc3 bp 0x7ffe06847ed0 sp 0x7ffe06847ec8
READ of size 1 at 0x60300004a620 thread T0
    #0 0x172dbc2 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*) dist/include/mozilla/PodOperations.h:87:3
    #1 0x172dbc2 in void mozilla::PodCopy<unsigned char>(unsigned char*, unsigned char const*, unsigned long) dist/include/mozilla/PodOperations.h:107
    #2 0x172dbc2 in JSInlineString* js::NewInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, mozilla::Range<unsigned char const>) js/src/vm/String-inl.h:60
    #3 0x172dbc2 in JSFlatString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) js/src/vm/String.cpp:1241
    #4 0x19eba9d in JSFlatString* js::NewStringCopyN<(js::AllowGC)1>(js::ExclusiveContext*, char const*, unsigned long) js/src/vm/String.h:1186:12
    #5 0x19eba9d in JSFlatString* js::NewStringCopyZ<(js::AllowGC)1>(js::ExclusiveContext*, char const*) js/src/vm/String.h:1206
    #6 0x19eba9d in ReadSPSProfilingStack(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:1664
    #7 0x153912a in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15
[...]
    #15 0x904d6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:5955:14
    #16 0x7fe6fa437eb3  (<unknown module>)

0x60300004a620 is located 0 bytes inside of 17-byte region [0x60300004a620,0x60300004a631)
freed by thread T0 here:
    #0 0x510440 in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
    #1 0xbdc16a in js_free(void*) dist/include/js/Utility.h:256:5
    #2 0xbdc16a in js::jit::JitcodeGlobalEntry::IonEntry::destroy() js/src/jit/JitcodeMap.cpp:142
    #3 0xbdee9f in js::jit::JitcodeGlobalEntry::destroy() js/src/jit/JitcodeMap.h:604:13
    #4 0xbdee9f in js::jit::JitcodeGlobalTable::removeEntry(js::jit::JitcodeGlobalEntry&, js::jit::JitcodeGlobalEntry**, JSRuntime*) js/src/jit/JitcodeMap.cpp:560
    #5 0xbe0282 in js::jit::JitcodeGlobalTable::releaseEntry(js::jit::JitcodeGlobalEntry&, js::jit::JitcodeGlobalEntry**, JSRuntime*) js/src/jit/JitcodeMap.cpp:574:5
    #6 0xbe0282 in js::jit::JitcodeGlobalTable::Enum::removeFront() js/src/jit/JitcodeMap.cpp:432
    #7 0xbe0282 in js::jit::JitcodeGlobalTable::sweep(JSRuntime*) js/src/jit/JitcodeMap.cpp:833
    #8 0x11668af in js::gc::GCRuntime::beginSweepingZoneGroup(js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5092:13
    #9 0x1169daf in js::gc::GCRuntime::beginSweepPhase(bool, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5245:5
    #10 0x11711c1 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5967:9
    #11 0x1172f1f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6204:5
    #12 0x117446e in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6312:25
    #13 0x117c135 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6379:5
    #14 0x117c135 in js::gc::GCRuntime::runDebugGC() js/src/jsgc.cpp:6867
    #15 0x1aab56c in js::gc::GCRuntime::gcIfNeededPerAllocation(JSContext*) js/src/gc/Allocator.cpp:225:9
    #16 0x1ab5bb4 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) js/src/gc/Allocator.cpp:190:14
    #17 0x1ab5bb4 in JSFatInlineString* js::Allocate<JSFatInlineString, (js::AllowGC)1>(js::ExclusiveContext*) js/src/gc/Allocator.cpp:139
    #18 0x172c5f2 in JSFatInlineString* JSFatInlineString::new_<(js::AllowGC)1>(js::ExclusiveContext*) js/src/vm/String-inl.h:257:12
    #19 0x172c5f2 in JSInlineString* js::AllocateInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned long, unsigned char**) js/src/vm/String-inl.h:37
    #20 0x172c5f2 in JSInlineString* js::NewInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, mozilla::Range<unsigned char const>) js/src/vm/String-inl.h:56
    #21 0x172c5f2 in JSFlatString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) js/src/vm/String.cpp:1241
    #22 0x19eba9d in JSFlatString* js::NewStringCopyN<(js::AllowGC)1>(js::ExclusiveContext*, char const*, unsigned long) js/src/vm/String.h:1186:12
    #23 0x19eba9d in JSFlatString* js::NewStringCopyZ<(js::AllowGC)1>(js::ExclusiveContext*, char const*) js/src/vm/String.h:1206
    #24 0x19eba9d in ReadSPSProfilingStack(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:1664
    #25 0x153912a in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15
[...]
    #36 0x7fe6fa42f829  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x510788 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x59e8db in js_malloc(unsigned long) dist/include/js/Utility.h:228:12
    #2 0x59e8db in char* js_pod_malloc<char>(unsigned long) dist/include/js/Utility.h:419
    #3 0x59e8db in char* js::MallocProvider<js::ExclusiveContext>::maybe_pod_malloc<char>(unsigned long) js/src/vm/MallocProvider.h:57
    #4 0x59e8db in char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<char>(unsigned long) js/src/vm/MallocProvider.h:90
    #5 0xbdd081 in js::jit::JitcodeGlobalEntry::createScriptString(JSContext*, JSScript*, unsigned long*) js/src/jit/JitcodeMap.cpp:356:17
    #6 0xbe3a22 in js::jit::JitcodeIonTable::makeIonEntry(JSContext*, js::jit::JitCode*, unsigned int, JSScript**, js::jit::JitcodeGlobalEntry::IonEntry&) js/src/jit/JitcodeMap.cpp:1461:21
    #7 0xa0bb8a in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) js/src/jit/CodeGenerator.cpp:9252:14
    #8 0xb9e296 in LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) js/src/jit/Ion.cpp:515:10
    #9 0xa74dd5 in LinkBackgroundCodeGen(JSContext*, js::jit::IonBuilder*) js/src/jit/Ion.cpp:535:12
    #10 0xa74dd5 in js::jit::LazyLink(JSContext*, JS::Handle<JSScript*>) js/src/jit/Ion.cpp:557
    #11 0xa9a1e1 in BaselineCanEnterAtBranch(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2600:9
    #12 0xa9a1e1 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2677
    #13 0x8aa6aa in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) js/src/jit/BaselineIC.cpp:142:10
    #14 0x7fe6fa43881d  (<unknown module>)
    #15 0x6210002c783f  (<unknown module>)
    #16 0x7fe6fa42f829  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free dist/include/mozilla/PodOperations.h:87:3 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*)
Shadow bytes around the buggy address:
  0x0c06800014b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
=>0x0c06800014c0: fd fa fa fa[fd]fd fd fa fa fa fd fd fd fa fa fa
  0x0c06800014d0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
==14183==ABORTING


Marking s-s because use-after-free is bad.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I'll mark this sec-high because it requires the profiler. The use is in some shell-only function.
Keywords: sec-high
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Could you look at this, Kannan? It seems like it is probably just a bug in shell code bug it would be nice to confirm that. Thanks.
Flags: needinfo?(kvijayan)
This is the same problem as bug 1246680.  Not a serious problem - IMHO a sec-moderate if any.  The bug exists only in the ReadSPSProfilingStack testing function: it should check to see if sampling has been suppressed, but it doesn't.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → DUPLICATE
Group: javascript-core-security
Keywords: sec-high
Clearing affected for 50 since the dupe is tracked there.
status-firefox50: affected → ---
You need to log in before you can comment on or make changes to this bug.