Closed
Bug 1341303
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-use-after-free [@ js::GeckoProfiler::beginPseudoJS] with READ of size 4 or Assertion failure: *size_ > 0, at vm/GeckoProfiler.cpp:294
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
(Blocks 1 open bug)
Details
(6 keywords, Whiteboard: [fuzzblocker] [jsbugmon:])
Attachments
(1 file)
1.51 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --ion-offthread-compile=off): for(i=0;i<100;++i) evalInWorker('enableGeckoProfiling()'); Backtrace: ==16762==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b0000301b8 at pc 0x00000166758e bp 0x7fcb049fdcd0 sp 0x7fcb049fdcc8 READ of size 4 at 0x62b0000301b8 thread T17 #0 0x166758d in js::GeckoProfiler::beginPseudoJS(char const*, void*) js/src/vm/GeckoProfiler.cpp:242:24 #1 0x166758d in js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry(JSRuntime*, char const*, js::ProfileEntry::Category) js/src/vm/GeckoProfiler.cpp:442 #2 0x1257b24 in js::gc::AutoTraceSession::AutoTraceSession(JSRuntime*, JS::HeapState) js/src/jsgc.cpp:5680:5 #3 0x1cdb4d7 in js::Nursery::doCollection(JS::gcreason::Reason, js::gc::TenureCountCache&) js/src/gc/Nursery.cpp:666:22 #4 0x1cda3e2 in js::Nursery::collect(JS::gcreason::Reason) js/src/gc/Nursery.cpp:593:25 #5 0x1264d1a in js::ZoneGroup::minorGC(JS::gcreason::Reason, js::gcstats::Phase) js/src/jsgc.cpp:6679:5 #6 0x125d6a9 in js::ZoneGroup::evictNursery(JS::gcreason::Reason) js/src/gc/ZoneGroup.h:80:9 #7 0x125d6a9 in js::EvictAllNurseries(JSRuntime*, JS::gcreason::Reason) js/src/gc/Nursery-inl.h:78 #8 0x125d6a9 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/jsgc.cpp:6256 #9 0x1261db6 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6454:25 #10 0x1231164 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6520:5 #11 0x1738911 in JSRuntime::destroyRuntime() js/src/vm/Runtime.cpp:301:9 #12 0x118ab27 in js::DestroyContext(JSContext*) js/src/jscntxt.cpp:226:9 #13 0x58e326 in WorkerMain(void*)::$_3::operator()() const js/src/shell/js.cpp:3474:17 #14 0x58e326 in mozilla::ScopeExit<WorkerMain(void*)::$_3>::~ScopeExit() dist/include/mozilla/ScopeExit.h:112 #15 0x58e326 in WorkerMain(void*) js/src/shell/js.cpp:3552 [...] 0x62b0000301b8 is located 24504 bytes inside of 24656-byte region [0x62b00002a200,0x62b000030250) freed by thread T17 here: #0 0x5147b0 in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38 #1 0x58e31e in js_free(void*) dist/include/js/Utility.h:257:5 #2 0x58e31e in void js_delete<ShellContext>(ShellContext const*) dist/include/js/Utility.h:384 #3 0x58e31e in JS::DeletePolicy<ShellContext>::operator()(ShellContext const*) dist/include/js/Utility.h:485 #4 0x58e31e in mozilla::UniquePtr<ShellContext, JS::DeletePolicy<ShellContext> >::reset(ShellContext*) dist/include/mozilla/UniquePtr.h:343 #5 0x58e31e in mozilla::UniquePtr<ShellContext, JS::DeletePolicy<ShellContext> >::~UniquePtr() dist/include/mozilla/UniquePtr.h:288 #6 0x58e31e in WorkerMain(void*) js/src/shell/js.cpp:3552 [...] previously allocated by thread T17 here: #0 0x514af8 in __interceptor_malloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x58d47f in js_malloc(unsigned long) dist/include/js/Utility.h:229:12 #2 0x58d47f in ShellContext* js_new<ShellContext, JSContext*&>(JSContext*&) dist/include/js/Utility.h:346 #3 0x58d47f in js::detail::UniqueSelector<ShellContext>::SingleObject js::MakeUnique<ShellContext, JSContext*&>(JSContext*&) dist/include/js/UniquePtr.h:48 #4 0x58d47f in WorkerMain(void*) js/src/shell/js.cpp:3488 [...] Thread T17 created by T0 here: #0 0x47cdbd in __interceptor_pthread_create /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:239 #1 0x7100bc in js::Thread::create(void* (*)(void*), void*) js/src/threading/posix/Thread.cpp:102:7 #2 0x5a6753 in bool js::Thread::init<void (&)(void*), WorkerInput*&>(void (&)(void*), WorkerInput*&) js/src/threading/Thread.h:117:12 #3 0x58ce7e in EvalInThread(JSContext*, unsigned int, JS::Value*, bool) js/src/shell/js.cpp:3637:21 #4 0x74846f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:281:15 [...] SUMMARY: AddressSanitizer: heap-use-after-free js/src/vm/GeckoProfiler.cpp:242:24 in js::GeckoProfiler::beginPseudoJS(char const*, void*) Shadow bytes around the buggy address: 0x0c567fffe020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c567fffe030: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd 0x0c567fffe040: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Heap left redzone: fa Freed heap region: fd ==16762==ABORTING Very likely shell only due to enableGeckoProfiling interacting with evalInWorker.
Reporter | ||
Comment 1•7 years ago
|
||
Fuzzblocker because this and similar issues are highly frequent now (more than 1 report per minute).
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][fuzzblocker]
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:bisect]
Comment 2•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•7 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:bisect] → [fuzzblocker] [jsbugmon:]
Assignee | ||
Comment 3•7 years ago
|
||
The shell WorkerMain is deleting things in the wrong order.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8839713 -
Flags: review?(jdemooij)
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
Updated•7 years ago
|
Attachment #8839713 -
Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/246d39385cd3 Delete things in the right order when finishing shell worker threads, r=jandem.
Comment 5•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/246d39385cd3
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Keywords: csectype-uaf
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•