Closed Bug 1324298 Opened 5 years ago Closed 5 years ago

AddressSanitizer: attempting double-free jsshell

Categories

(Core :: JavaScript: GC, defect)

51 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1293258

People

(Reporter: rs, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2950.4 Safari/537.36

Steps to reproduce:

tested on JavaScript-C51.0a1 (not tried it yet in the last version)

var shouldBailout = false;
function test0() {
    var obj1 = {};
    var arrObj0 = {};
    var ary = new Array(10);
    var ui16 = new Uint16Array(256);
    var c = 1;
    var f = 1;
    arrObj0.prop0 = -254;
    for(var __loopvar0 = 0; __loopvar0 < 3 && f < ((-arrObj0.prop0)) ; __loopvar0++ + f++) {
        for(var __loopvar1 = 0; ; __loopvar1++) {
            if(__loopvar1 > 3) break;
            var __loopvar4 = 0;
            while((1) && __loopvar4 < 3) {
                __loopvar4++;
                if(c) {
                    break;
                }
                var __loopvar5 = 0;
                while((1) && __loopvar5 < 3) {
                    __loopvar5++;
                    if(shouldBailout) {
                        func1 = obj0.method0;
                    }
                    obj1.prop1 = ui16[(1) & 255];
                }
            }
            obj0 = obj1;
            obj0.length = ary[((shouldBailout ? (ary[1] = "x") : undefined), 1)];
test0();
        }
            obj0.length = ary[((shouldBailout ? (ary[1] = "x") : undefined), 1)];
    }
};
test0();
test0();
test0();
test0();
shouldBailout = true;
test0();

WScript.Echo("pass");



Actual results:

=================================================================
==15262==ERROR: AddressSanitizer: attempting double-free on 0x61500060e800 in thread T0:
    #0 0x4da1db in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0xf6a4c2 in JSObject::finalize(js::FreeOp*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsobjinlines.h:87:9
    #2 0xf69bbb in unsigned long js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:450:13
    #3 0xf6714e in bool FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:508:26
    #4 0xf0e5cf in FinalizeArenas(js::FreeOp*, js::gc::Arena**, js::gc::SortedArenaList&, js::gc::AllocKind, js::SliceBudget&, js::gc::ArenaLists::KeepArenasEnum) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:542:1
    #5 0xf0e289 in js::gc::ArenaLists::backgroundFinalize(js::FreeOp*, js::gc::Arena*, js::gc::Arena**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:2784:5
    #6 0xf11b34 in js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&, js::LifoAlloc&, js::ThreadType) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:3214:21
    #7 0xf24c28 in js::gc::GCRuntime::endSweepingZoneGroup() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:5153:9
    #8 0xf26305 in js::gc::GCRuntime::sweepPhase(js::SliceBudget&, js::AutoLockForExclusiveAccess&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:5366:9
    #9 0xf2a1ee in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::AutoLockForExclusiveAccess&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:5898:13
    #10 0xf2baa7 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:6138:5
    #11 0xf2ca44 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:6245:25
    #12 0xf101c8 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsgc.cpp:6310:5
    #13 0x1336c0e in JSRuntime::destroyRuntime() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Runtime.cpp:422:9
    #14 0xe9ca78 in JSContext::~JSContext() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxt.cpp:932:5
    #15 0xe985c5 in void js_delete_poison<JSContext>(JSContext const*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dist/include/js/Utility.h:392:9
    #16 0xe5d3c8 in js::DestroyContext(JSContext*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxt.cpp:137:5
    #17 0x50ea68 in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/shell/js.cpp:7534:5
    #18 0x7f554332282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x443a90 in _start (/home/fuzzer/browsers/js+0x443a90)

0x61500060e800 is located 0 bytes inside of 512-byte region [0x61500060e800,0x61500060ea00)
freed by thread T8 (JS Helper) here:
    #0 0x4da1db in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x1773317 in js::Nursery::FreeMallocedBuffersTask::run() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/gc/Nursery.cpp:710:9
    #2 0x124ef56 in js::GCParallelTask::runFromHelperThread(js::AutoLockHelperThreadState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/HelperThreads.cpp:1058:9
    #3 0x124f354 in js::HelperThread::handleGCParallelWorkload(js::AutoLockHelperThreadState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/HelperThreads.cpp:1089:5
    #4 0x125163c in js::HelperThread::threadLoop() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/HelperThreads.cpp:1693:13
    #5 0x125d72d in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/threading/Thread.h:229:5
    #6 0x7f55449c7709 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7709)

previously allocated by thread T0 here:
    #0 0x4da4fb in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x61663a in unsigned char* js_pod_malloc<unsigned char>(unsigned long) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dist/include/js/Utility.h:419:28
    #2 0x623d97 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_malloc<unsigned char>(unsigned long) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/MallocProvider.h:57:16
    #3 0x623b81 in unsigned char* js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned long) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/MallocProvider.h:90:16
    #4 0x176f8bf in js::Nursery::allocateBuffer(JS::Zone*, unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/gc/Nursery.cpp:312:20
    #5 0xbf22d9 in AllocateObjectBufferWithInit(JSContext*, js::TypedArrayObject*, unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jit/MacroAssembler.cpp:1066:17
    #6 0x7f55293180e3  (<unknown module>)

Thread T8 (JS Helper) created by T0 here:
    #0 0x4c28b9 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7215ce in js::Thread::create(void* (*)(void*), void*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/threading/posix/Thread.cpp:102:7
    #2 0x124c501 in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/threading/Thread.h:125:12
    #3 0x12460e2 in js::GlobalHelperThreadState::ensureInitialized() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/HelperThreads.cpp:630:14
    #4 0x1335b3e in JSRuntime::init(unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Runtime.cpp:291:34
    #5 0xe98274 in JSContext::init(unsigned int, unsigned int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxt.cpp:95:10
    #6 0xe5d21c in js::NewContext(unsigned int, unsigned int, JSRuntime*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxt.cpp:111:10
    #7 0x50e585 in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/shell/js.cpp:7452:21
    #8 0x7f554332282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: double-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3 in free
==15262==ABORTING
It seems to be the latest version.
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Version: unspecified → 51 Branch
Gary: can you try this on nightly and see if it's still a problem?
Group: firefox-core-security → javascript-core-security
Component: Untriaged → JavaScript: GC
Flags: needinfo?(gary)
Product: Firefox → Core
I was unable to reproduce this on 64-bit opt ASan builds on all 4 branches.

Jan, do you think you may be able to spot the issue here? (or try and see if you can reproduce)
Flags: needinfo?(gary) → needinfo?(jdemooij)
I also can't reproduce this.

Francisco, thanks for the report. It would be very useful to know at least the revision id, configure flags, compiler version, shell flags.
Flags: needinfo?(jdemooij) → needinfo?(rs)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1293258
Can I tweet about this bug without problem right? seems to be fixed. By the way can you share the latest jsshell build?

Thank you
Group: javascript-core-security
(In reply to Francisco A. from comment #7)
> Can I tweet about this bug without problem right? seems to be fixed. By the
> way can you share the latest jsshell build?
> 
> Thank you

The official build is: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Releases/45
The build for FF52 is not ready yet. (FF52 releases on March 2017)
Additionally, the latest Nightly builds of the shell can be found here: https://archive.mozilla.org/pub/firefox/nightly/latest-mozilla-central/

Not sure if those are different from the ones on *.taskcluster.net
You need to log in before you can comment on or make changes to this bug.