Closed
Bug 1282783
Opened 8 years ago
Closed 8 years ago
AddressSanitizer: heap-use-after-free [@ void mozilla::PodAssign<unsigned char>] with READ of size 1 with Profiling
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1246680
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
The following testcase crashes on mozilla-central revision d87b76177b2f (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --thread-count=2): x = true; function main() { for (var i = 0; i < 500000; x.get++, i++) eval("for (var j = 0; j < 50; j++) readSPSProfilingStack();"); } gczeal(2, 10000); enableSPSProfilingWithSlowAssertions(); main(); Backtrace: ==14183==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300004a620 at pc 0x00000172dbc3 bp 0x7ffe06847ed0 sp 0x7ffe06847ec8 READ of size 1 at 0x60300004a620 thread T0 #0 0x172dbc2 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*) dist/include/mozilla/PodOperations.h:87:3 #1 0x172dbc2 in void mozilla::PodCopy<unsigned char>(unsigned char*, unsigned char const*, unsigned long) dist/include/mozilla/PodOperations.h:107 #2 0x172dbc2 in JSInlineString* js::NewInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, mozilla::Range<unsigned char const>) js/src/vm/String-inl.h:60 #3 0x172dbc2 in JSFlatString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) js/src/vm/String.cpp:1241 #4 0x19eba9d in JSFlatString* js::NewStringCopyN<(js::AllowGC)1>(js::ExclusiveContext*, char const*, unsigned long) js/src/vm/String.h:1186:12 #5 0x19eba9d in JSFlatString* js::NewStringCopyZ<(js::AllowGC)1>(js::ExclusiveContext*, char const*) js/src/vm/String.h:1206 #6 0x19eba9d in ReadSPSProfilingStack(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:1664 #7 0x153912a in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15 [...] #15 0x904d6b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:5955:14 #16 0x7fe6fa437eb3 (<unknown module>) 0x60300004a620 is located 0 bytes inside of 17-byte region [0x60300004a620,0x60300004a631) freed by thread T0 here: #0 0x510440 in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0xbdc16a in js_free(void*) dist/include/js/Utility.h:256:5 #2 0xbdc16a in js::jit::JitcodeGlobalEntry::IonEntry::destroy() js/src/jit/JitcodeMap.cpp:142 #3 0xbdee9f in js::jit::JitcodeGlobalEntry::destroy() js/src/jit/JitcodeMap.h:604:13 #4 0xbdee9f in js::jit::JitcodeGlobalTable::removeEntry(js::jit::JitcodeGlobalEntry&, js::jit::JitcodeGlobalEntry**, JSRuntime*) js/src/jit/JitcodeMap.cpp:560 #5 0xbe0282 in js::jit::JitcodeGlobalTable::releaseEntry(js::jit::JitcodeGlobalEntry&, js::jit::JitcodeGlobalEntry**, JSRuntime*) js/src/jit/JitcodeMap.cpp:574:5 #6 0xbe0282 in js::jit::JitcodeGlobalTable::Enum::removeFront() js/src/jit/JitcodeMap.cpp:432 #7 0xbe0282 in js::jit::JitcodeGlobalTable::sweep(JSRuntime*) js/src/jit/JitcodeMap.cpp:833 #8 0x11668af in js::gc::GCRuntime::beginSweepingZoneGroup(js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5092:13 #9 0x1169daf in js::gc::GCRuntime::beginSweepPhase(bool, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5245:5 #10 0x11711c1 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) js/src/jsgc.cpp:5967:9 #11 0x1172f1f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6204:5 #12 0x117446e in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6312:25 #13 0x117c135 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6379:5 #14 0x117c135 in js::gc::GCRuntime::runDebugGC() js/src/jsgc.cpp:6867 #15 0x1aab56c in js::gc::GCRuntime::gcIfNeededPerAllocation(JSContext*) js/src/gc/Allocator.cpp:225:9 #16 0x1ab5bb4 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) js/src/gc/Allocator.cpp:190:14 #17 0x1ab5bb4 in JSFatInlineString* js::Allocate<JSFatInlineString, (js::AllowGC)1>(js::ExclusiveContext*) js/src/gc/Allocator.cpp:139 #18 0x172c5f2 in JSFatInlineString* JSFatInlineString::new_<(js::AllowGC)1>(js::ExclusiveContext*) js/src/vm/String-inl.h:257:12 #19 0x172c5f2 in JSInlineString* js::AllocateInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned long, unsigned char**) js/src/vm/String-inl.h:37 #20 0x172c5f2 in JSInlineString* js::NewInlineString<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, mozilla::Range<unsigned char const>) js/src/vm/String-inl.h:56 #21 0x172c5f2 in JSFlatString* js::NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) js/src/vm/String.cpp:1241 #22 0x19eba9d in JSFlatString* js::NewStringCopyN<(js::AllowGC)1>(js::ExclusiveContext*, char const*, unsigned long) js/src/vm/String.h:1186:12 #23 0x19eba9d in JSFlatString* js::NewStringCopyZ<(js::AllowGC)1>(js::ExclusiveContext*, char const*) js/src/vm/String.h:1206 #24 0x19eba9d in ReadSPSProfilingStack(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:1664 #25 0x153912a in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:232:15 [...] #36 0x7fe6fa42f829 (<unknown module>) previously allocated by thread T0 here: #0 0x510788 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x59e8db in js_malloc(unsigned long) dist/include/js/Utility.h:228:12 #2 0x59e8db in char* js_pod_malloc<char>(unsigned long) dist/include/js/Utility.h:419 #3 0x59e8db in char* js::MallocProvider<js::ExclusiveContext>::maybe_pod_malloc<char>(unsigned long) js/src/vm/MallocProvider.h:57 #4 0x59e8db in char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<char>(unsigned long) js/src/vm/MallocProvider.h:90 #5 0xbdd081 in js::jit::JitcodeGlobalEntry::createScriptString(JSContext*, JSScript*, unsigned long*) js/src/jit/JitcodeMap.cpp:356:17 #6 0xbe3a22 in js::jit::JitcodeIonTable::makeIonEntry(JSContext*, js::jit::JitCode*, unsigned int, JSScript**, js::jit::JitcodeGlobalEntry::IonEntry&) js/src/jit/JitcodeMap.cpp:1461:21 #7 0xa0bb8a in js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) js/src/jit/CodeGenerator.cpp:9252:14 #8 0xb9e296 in LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) js/src/jit/Ion.cpp:515:10 #9 0xa74dd5 in LinkBackgroundCodeGen(JSContext*, js::jit::IonBuilder*) js/src/jit/Ion.cpp:535:12 #10 0xa74dd5 in js::jit::LazyLink(JSContext*, JS::Handle<JSScript*>) js/src/jit/Ion.cpp:557 #11 0xa9a1e1 in BaselineCanEnterAtBranch(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2600:9 #12 0xa9a1e1 in js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) js/src/jit/Ion.cpp:2677 #13 0x8aa6aa in js::jit::DoWarmUpCounterFallbackOSR(JSContext*, js::jit::BaselineFrame*, js::jit::ICWarmUpCounter_Fallback*, js::jit::IonOsrTempData**) js/src/jit/BaselineIC.cpp:142:10 #14 0x7fe6fa43881d (<unknown module>) #15 0x6210002c783f (<unknown module>) #16 0x7fe6fa42f829 (<unknown module>) SUMMARY: AddressSanitizer: heap-use-after-free dist/include/mozilla/PodOperations.h:87:3 in void mozilla::PodAssign<unsigned char>(unsigned char*, unsigned char const*) Shadow bytes around the buggy address: 0x0c06800014b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd =>0x0c06800014c0: fd fa fa fa[fd]fd fd fa fa fa fd fd fd fa fa fa 0x0c06800014d0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd ==14183==ABORTING Marking s-s because use-after-free is bad.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Comment 2•8 years ago
|
||
I'll mark this sec-high because it requires the profiler. The use is in some shell-only function.
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 3•8 years ago
|
||
Could you look at this, Kannan? It seems like it is probably just a bug in shell code bug it would be nice to confirm that. Thanks.
Flags: needinfo?(kvijayan)
Comment 4•8 years ago
|
||
This is the same problem as bug 1246680. Not a serious problem - IMHO a sec-moderate if any. The bug exists only in the ReadSPSProfilingStack testing function: it should check to see if sampling has been suppressed, but it doesn't.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kvijayan)
Resolution: --- → DUPLICATE
Comment 5•8 years ago
|
||
Clearing affected for 50 since the dupe is tracked there.
status-firefox50:
affected → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•