Closed Bug 1332620 Opened 8 years ago Closed 8 years ago

AddressSanitizer: heap-use-after-free [@ js::RegExpShared::getFlags] with READ of size 4

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1332597
Tracking Flags:
Tracking Status
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:])

The following testcase crashes on mozilla-central revision aa3e49299a3a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-offthread-compile=off): evalInWorker(` for(var i=0; i<2; '') { var a = /a/; } `); gczeal(4); Backtrace: ==13278==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00001ca88 at pc 0x0000015e44a0 bp 0x7f9958778df0 sp 0x7f9958778de8 READ of size 4 at 0x60c00001ca88 thread T14 #0 0x15e449f in js::RegExpShared::getFlags() const js/src/vm/RegExpObject.h:190:50 #1 0x15e449f in js::CloneRegExpObject(JSContext*, JSObject*) js/src/vm/RegExpObject.cpp:1414 #2 0x7f9954392190 (<unknown module>) 0x60c00001ca88 is located 8 bytes inside of 128-byte region [0x60c00001ca80,0x60c00001cb00) freed by thread T8 (JS Helper) here: #0 0x5125c0 in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x15e232f in js_free(void*) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/sanitizer/asan/type/opt/dist/include/js/Utility.h:257:5 #2 0x15e232f in void js_delete<js::RegExpShared>(js::RegExpShared const*) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/sanitizer/asan/type/opt/dist/include/js/Utility.h:384 #3 0x15e232f in js::RegExpCompartment::sweep(JSRuntime*) js/src/vm/RegExpObject.cpp:1310 #4 0x110193b in SweepRegExpsTask::run() js/src/jsgc.cpp:4888:9 #5 0x154cdc7 in js::GCParallelTask::runFromHelperThread(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:1151:9 #6 0x154cdc7 in js::HelperThread::handleGCParallelWorkload(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:1182 [...] #10 0x7f99622cd6f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9) previously allocated by thread T14 here: #0 0x512908 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x5a59eb in js_malloc(unsigned long) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/sanitizer/asan/type/opt/dist/include/js/Utility.h:229:12 #2 0x5a59eb in unsigned char* js_pod_malloc<unsigned char>(unsigned long) /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/clang/sanitizer/asan/type/opt/dist/include/js/Utility.h:420 #3 0x5a59eb in unsigned char* js::MallocProvider<js::ExclusiveContext>::maybe_pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:57 #4 0x5a59eb in unsigned char* js::MallocProvider<js::ExclusiveContext>::pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:90 #5 0x15d44dc in js::RegExpShared* js::MallocProvider<js::ExclusiveContext>::new_<js::RegExpShared, JSAtom*&, js::RegExpFlag&>(JSAtom*&, js::RegExpFlag&) js/src/vm/MallocProvider.h:190:5 #6 0x15d44dc in js::RegExpCompartment::get(JSContext*, JSAtom*, js::RegExpFlag, js::RegExpGuard*) js/src/vm/RegExpObject.cpp:1352 #7 0x15d2ec4 in js::RegExpObject::createShared(JSContext*, js::RegExpGuard*) js/src/vm/RegExpObject.cpp:286:10 #8 0x15e3f31 in js::RegExpObject::getShared(JSContext*, js::RegExpGuard*) js/src/vm/RegExpObject.cpp:142:12 #9 0x15e3f31 in js::CloneRegExpObject(JSContext*, JSObject*) js/src/vm/RegExpObject.cpp:1411 #10 0x714ac2 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3210:21 [...] #15 0x58aa7a in WorkerMain(void*) js/src/shell/js.cpp:3374:9 SUMMARY: AddressSanitizer: heap-use-after-free js/src/vm/RegExpObject.h:190:50 in js::RegExpShared::getFlags() const Shadow bytes around the buggy address: 0x0c187fffb940: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa =>0x0c187fffb950: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c187fffb960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Freed heap region: fd S-s and sec-critical due to use-after-free. This might be related to the previous bug I filed with evalInWorker (bug 1332597) but I'm not exactly sure if they are the same.
Jon, is this a duplicate to the other GC + Worker bug?
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
For some reason I can't get a build with --enable-address-sanitizer to compile but I'm 99% sure this is the same thing as bug 1332597.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
Fixed in the duplicate up to Firefox 52.
status-firefox53: affectedfixed
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.