1304037 - Crash [@ js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell>] with use-after-free

Status: RESOLVED DUPLICATE of bug 1301343

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision eaf5eb6f8fa0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --disable-oom-functions --baseline-eager --ion-eager --ion-extra-checks):

See attachment.


Backtrace:

 received signal SIGSEGV, Segmentation fault.
js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell> (t=0x4b4b4b4b4b4b4b48) at js/src/jsgc.h:1180
#0  js::gc::IsGCThingValidAfterMovingGC<js::gc::Cell> (t=0x4b4b4b4b4b4b4b48) at js/src/jsgc.h:1180
#1  CheckHeapTracer::onChild (this=0x7fffffffcd30, thing=...) at js/src/gc/Verifier.cpp:488
#2  0x0000000000aa892b in JS::CallbackTracer::onStringEdge (strp=0x7ffff2ed5aa0, this=0x7fffffffcd30) at dist/include/js/TracingAPI.h:143
#3  JS::CallbackTracer::dispatchToOnEdge (strp=0x7ffff2ed5aa0, this=0x7fffffffcd30) at dist/include/js/TracingAPI.h:225
#4  DoCallback<JSString*> (trc=0x7fffffffcd30, thingp=0x7ffff2ed5aa0, name=0xd8761d "base") at js/src/gc/Tracer.cpp:51
#5  0x0000000000a9e8c9 in js::TraceChildren (kind=<optimized out>, thing=0x7ffff2ed5a90, trc=0x7fffffffcd38) at js/src/gc/Tracer.cpp:126
#6  JS::TraceChildren (trc=trc@entry=0x7fffffffcd38, thing=...) at js/src/gc/Tracer.cpp:111
#7  0x0000000000a9e976 in CheckHeapTracer::check (this=this@entry=0x7fffffffcd30, lock=...) at js/src/gc/Verifier.cpp:522
#8  0x0000000000a9eb5b in js::gc::CheckHeapAfterMovingGC (rt=<optimized out>) at js/src/gc/Verifier.cpp:544
#9  0x000000000078770a in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff695f8f8, reason=reason@entry=JS::gcreason::DEBUG_GC, phase=phase@entry=js::gcstats::PHASE_EVICT_NURSERY) at js/src/jsgc.cpp:6525
#10 0x00000000007a0142 in js::gc::GCRuntime::minorGC (phase=js::gcstats::PHASE_EVICT_NURSERY, reason=JS::gcreason::DEBUG_GC, this=0x7ffff695f8f8) at js/src/jsgc.cpp:6146
#11 js::gc::GCRuntime::evictNursery (reason=JS::gcreason::DEBUG_GC, this=0x7ffff695f8f8) at js/src/gc/GCRuntime.h:622
#12 js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695f8f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6098
#13 0x00000000007a0446 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695f8f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6283
#14 0x00000000007a0bcc in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff695f8f8) at js/src/jsgc.cpp:6746
#15 0x0000000000a6f410 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff695f8f8, cx=0x7ffff695f000) at js/src/gc/Allocator.cpp:225
#16 0x0000000000a7a5ad in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (kind=js::gc::AllocKind::STRING, cx=<optimized out>, this=0x7ffff695f8f8) at js/src/gc/Allocator.cpp:189
#17 js::Allocate<JSString, (js::AllowGC)1> (cx=cx@entry=0x7ffff695f000) at js/src/gc/Allocator.cpp:139
#18 0x0000000000948b32 in JSRope::new_<(js::AllowGC)1> (length=1475, right=..., left=..., cx=0x7ffff695f000) at js/src/vm/String-inl.h:128
#19 js::ConcatStrings<(js::AllowGC)1> (cx=0x7ffff695f000, left=..., right=...) at js/src/vm/String.cpp:640
#20 0x00007ffff7e42b45 in ?? ()
#21 0x0000000000000000 in ?? ()
rax	0x7ffff35af000	140737276211200
rbx	0x60000000	1610612736
rcx	0xf	15
rdx	0x33f2	13298
rsi	0x1	1
rdi	0x6000	24576
rbp	0x7ffff357f000	140737276014592
rsp	0x7fffffffcbe0	140737488341984
r8	0x0	0
r9	0x33f1	13297
r10	0x11	17
r11	0x7fffffffcc30	140737488342064
r12	0x7fffffffcd30	140737488342320
r13	0x4b4b4b4b4b4b4b48	5425512962855750472
r14	0x4b4b4b4b4b4fffe8	5425512962856058856
r15	0x8000	32768
rip	0xa9fdf7 <CheckHeapTracer::onChild(JS::GCCellPtr const&)+439>
=> 0xa9fdf7 <CheckHeapTracer::onChild(JS::GCCellPtr const&)+439>:	cmpl   $0x1,(%r14)
   0xa9fdfb <CheckHeapTracer::onChild(JS::GCCellPtr const&)+443>:	jne    0xaa0180 <CheckHeapTracer::onChild(JS::GCCellPtr const&)+1344>


Marking s-s and sec-critical because it looks like use-after-free. The test is also intermittent.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Jon Coppeard (:jonco)]

This looks like UAF tracing through a JSString's base string.

Comment 3

[Jon Coppeard (:jonco)]

Reproduced.  The string in question appears to be the identifier 'pbc0448' from the testcase.

I think this is the same issue as bug 1295039.

Comment 4

[Al Billings [:abillings - ex-MoCo]]

This should be fixed by the checkin for bug 1301343, which I just approved for trunk, as bug 1295039 was duped to that. Christian, can you check to see if this bug is fixed after 1301343 goes in within the next few days?

Comment 5

[Christian Holler (:decoder)]

I tried re-running this testcase with the fixes now in the tree and I cannot reproduce. I also don't see the failure popping up anymore in FuzzManager. That said, the issue is fairly instable and didn't pop up very often in general, so we cannot be a 100% sure. If I see this popping up again, I will just report it. Until then, we should consider it fixed.

Comment 6

[Julien Cristau [:jcristau]]

comments 4 and 5 imply this is now fixed, updating fx52 status flag

Comment 7

[Al Billings [:abillings - ex-MoCo]]

But is it fixed on 51? Bug 1295039 and bug 1301343 are both  marked fixed for 51 so that would imply that this is fixed there as well. This bug is showing up in our 51 "unfixed" queries right now.

Comment 8

[Jan de Mooij [:jandem]]

Yes bug 1301343 was fixed in 51.