Closed
Bug 1296249
Opened 8 years ago
Closed 8 years ago
Assertion failure: nbytes > 0, at js/src/gc/Nursery.cpp:357
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | unaffected |
| firefox49 | --- | unaffected |
| firefox-esr45 | --- | unaffected |
| firefox50 | --- | unaffected |
| firefox51 | + | verified |
| firefox52 | + | verified |
People
(Reporter: gkw, Assigned: sandervv)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 3 obsolete files)
|
29.69 KB,
text/plain
|
Details | |
|
3.49 KB,
patch
|
jandem
:
review+
gchang
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 97a52326b06a (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
function f(x) {
new Int32Array(x);
}
f(0);
f(2147483647);
Backtrace:
0 js-dbg-64-dm-clang-darwin-97a52326b06a 0x0000000110610220 js::Nursery::allocateBuffer(JSObject*, unsigned int) + 256 (Nursery.cpp:357)
1 js-dbg-64-dm-clang-darwin-97a52326b06a 0x000000010fef08f7 AllocateObjectBufferWithInit(JSContext*, js::TypedArrayObject*, int) + 359 (MacroAssembler.cpp:1063)
2 ??? 0x0000000112163ebb 0 + 4598415035
3 js-dbg-64-dm-clang-darwin-97a52326b06a 0x000000010fda76ab js::jit::IonCannon(JSContext*, js::RunState&) + 715 (Ion.cpp:2822)
4 js-dbg-64-dm-clang-darwin-97a52326b06a 0x000000011030fecf js::RunScript(JSContext*, js::RunState&) + 351 (Interpreter.cpp:379)
5 js-dbg-64-dm-clang-darwin-97a52326b06a 0x0000000110321a3e js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 750 (Interpreter.cpp:471)
6 js-dbg-64-dm-clang-darwin-97a52326b06a 0x000000010fcd0cde js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 1918 (BaselineIC.cpp:5989)
/snip
For detailed crash information, see attachment.
Setting s-s because gc stuff is on the stack, and this seems to involve TypedArrays.
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/810a43be36de user: Sander Mathijs van Veen date: Fri Aug 12 21:38:45 2016 -0400 summary: Bug 1293258 - AddressSanitizer: attempting double-free on 0x614000342640 [@ __interceptor_free] or Crash [@ jemalloc_crash] with TypedArray. r=jandem Sander, is bug 1293258 a likely regressor?
Blocks: 1293258
Flags: needinfo?(sandervv)
|
||
Updated•8 years ago
|
status-firefox50:
--- → unaffected
|
Assignee | |
Comment 3•8 years ago
|
||
Prevent an overflow caused by the JS_ROUNDUP since |allocateBuffer| converts |nbytes| of type size_t to uint32_t. The value for |nbytes| will truncate to zero when |new Int32Array(2147483647)| is used.
Assignee: nobody → sandervv
Flags: needinfo?(sandervv)
Attachment #8783469 -
Flags: review?(jdemooij)
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8783469 [details] [diff] [review] bug1296249-nbytes-overflow.patch Review of attachment 8783469 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/MacroAssembler.cpp @@ +1059,5 @@ > > + // Prevent an overflow caused by the JS_ROUNDUP since |allocateBuffer| > + // converts |nbytes| of type size_t to uint32_t. The value for |nbytes| will > + // truncate to zero when |new Int32Array(2147483647)| is used. > + if (nbytes > TypedArrayObject::SINGLETON_BYTE_LENGTH) Can you make this >= to be consistent with other places where we check this?
Attachment #8783469 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
Used ">=" for consistency.
Attachment #8783469 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•8 years ago
|
Keywords: checkin-needed
|
||
Comment 6•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e2bca303ae69
status-firefox48:
--- → unaffected
status-firefox49:
--- → unaffected
status-firefox-esr45:
--- → unaffected
Flags: in-testsuite+
Keywords: checkin-needed
|
||
Comment 7•8 years ago
|
||
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/afd6ad990dd4 for the test failing like https://treeherder.mozilla.org/logviewer.html#?job_id=35787106&repo=mozilla-inbound in, so far, the ARM shell build we run on Linux32, the ARM shell build we run really weirdly, displaying on the Linux64 row but being the SM(arm) right next to the SM(arm64) so I bet it's actually 32-bit, and the SM(p) on the WinXP row (which is a lie, it's Server 2008, but probably means 32-bit as well).
|
|
||
Comment 8•8 years ago
|
||
And 64-bit didn't save you from everything, in the browser jittests you got OOMs like https://treeherder.mozilla.org/logviewer.html#?job_id=35790646&repo=mozilla-inbound
|
|
Reporter | |
Comment 9•8 years ago
|
||
Sander, your patch got backed out, any chance of working it through? (Else we'll just pass the ni? along)
Flags: needinfo?(sandervv)
|
|
Reporter | |
Updated•8 years ago
|
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 10•8 years ago
|
||
I've verified locally that the OOM exception doesn't fail the test case when running the test in a shell with |ulimit -m 4096000; ulimit -v 4096000| set. The try job results are pending (https://treeherder.mozilla.org/#/jobs?repo=try&revision=683968dd3ed3). I'm using |./mach try -b do -p linux,linux64,linux64-asan,linux64-st-an,linux64-valgrind,linux64-shell-haz -u jsreftest,jittests,jittest-1,jittest-2,mochitests,mochitests-bc -t none| for the try build. Is this sufficient?
Attachment #8790735 -
Attachment is obsolete: true
Flags: needinfo?(sandervv)
Attachment #8794776 -
Flags: review?(jdemooij)
|
|
||
Comment 11•8 years ago
|
||
Comment on attachment 8794776 [details] [diff] [review] bug1296249-nbytes-overflow.patch Review of attachment 8794776 [details] [diff] [review]: ----------------------------------------------------------------- I see you still got some jit-test failures on Try, let me know if you need help with that. ::: js/src/jit/MacroAssembler.cpp @@ +1063,5 @@ > } > > + // Prevent an overflow caused by the JS_ROUNDUP since |allocateBuffer| > + // converts |nbytes| of type size_t to uint32_t. The value for |nbytes| will > + // truncate to zero when |new Int32Array(2147483647)| is used. Please change allocateBuffer to just take size_t instead of uint32_t, to fix this footgun. If we do that, can we remove this change?
Attachment #8794776 -
Flags: review?(jdemooij)
|
|
||
Comment 12•8 years ago
|
||
[Tracking Requested - why for this release]: Sec bug.
status-firefox52:
--- → affected
tracking-firefox51:
--- → ?
tracking-firefox52:
--- → ?
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 13•8 years ago
|
||
I fixed the comments in the updated patch. Steps to reproduce the test failure for arm-sim running on x86-64: $ cd js/src/; $ ./devtools/automation/autospider.py --build-only --dep arm-sim; $ python jit-test/jit_test.py --jitflags=all -j8 ../../obj-spider/js/src/js basic/bug1296249.js Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?), at /home/smvv/work/mozilla-central/js/src/builtin/TestingFunctions.cpp:1373 Exit code: -11 FAIL - basic/bug1296249.js I'm starting a new try job to make sure that the uint32_t -> size_t change doesn't break any builds. Results will be listed here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=efbca55c4921
Attachment #8794776 -
Attachment is obsolete: true
Attachment #8794828 -
Flags: review?(jdemooij)
|
|
||
Comment 14•8 years ago
|
||
Comment on attachment 8794828 [details] [diff] [review] bug1296249-nbytes-overflow.patch Review of attachment 8794828 [details] [diff] [review]: ----------------------------------------------------------------- Thanks. Don't forget to request sec-approval before landing, as this affects Aurora and is probably exploitable.
Attachment #8794828 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 15•8 years ago
|
||
The assertion fails on arm 32-bit (using the arm-sim running on a host x86-64 bit).
Flags: needinfo?(jdemooij)
|
|
||
Comment 16•8 years ago
|
||
(In reply to Sander Mathijs van Veen from comment #15) > The assertion fails on arm 32-bit (using the arm-sim running on a host > x86-64 bit). I filed bug 1305948 with a patch for this OOM bug.
|
|
||
Updated•8 years ago
|
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 17•8 years ago
|
||
Comment on attachment 8794828 [details] [diff] [review] bug1296249-nbytes-overflow.patch [Security approval request comment] How easily could an exploit be constructed based on the patch? I think it would be easy since the test case that illustrates the assertion failure is easy to construct. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The test gives a clear hint about the security problem. Which older supported branches are affected by this flaw? The patch landed in Firefox 51. If not all supported branches, which bug introduced the flaw? https://bugzilla.mozilla.org/show_bug.cgi?id=1279992 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? I do not have backports, but the patch should be easy to backport to the affected branches. They are not risky and not hard to create. How likely is this patch to cause regressions; how much testing does it need? It is not likely to cause regressions.
Attachment #8794828 -
Flags: sec-approval?
|
|
||
Comment 19•8 years ago
|
||
sec-approval+ for trunk. We'll want an aurora patch made and nominated for this as well so we don't ship the bug.
|
|
||
Updated•8 years ago
|
Attachment #8794828 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 20•8 years ago
|
||
Comment on attachment 8794828 [details] [diff] [review] bug1296249-nbytes-overflow.patch Approval Request Comment [Feature/regressing bug #]: 1296249 [User impact if declined]: it could allocate zero bytes in the nursery for the typed array elements buffer. Writing to that typed array's buffer is dangerous. [Describe test coverage new/current, TreeHerder]: The added test verifies that an OOM error is thrown instead of an assertion failure. [Risks and why]: Not sure what risks this could have. The size parameter is changed from uint32_t to size_t so it would only affect platforms where size_t > uint32_t. [String/UUID change made/needed]:
Attachment #8794828 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 21•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb162dfbe7f2ffd78600a3da5a8e9bf261969fd5
|
|
||
Comment 22•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bb162dfbe7f2
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
||
Comment 23•8 years ago
|
||
Comment on attachment 8794828 [details] [diff] [review] bug1296249-nbytes-overflow.patch Sec-high. Take it in 51 aurora.
Attachment #8794828 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Updated•8 years ago
|
|
|
||
Comment 25•8 years ago
|
||
JSBugMon: This bug has been automatically verified fixed. JSBugMon: This bug has been automatically verified fixed on Fx51
|
|
||
Updated•8 years ago
|
Group: core-security-release
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•