Closed
Bug 1343245
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-buffer-overflow [@ ExpressionDecompiler::decompilePC] with READ of size 1 or Assertion failure: index < size_t(parser.stackDepthAtPC(current)), at jsopcode.cpp:2262 or Crash
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: arai)
References
(Blocks 1 open bug)
Details
(6 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(1 file)
1.86 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 1bc2ad020aee (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe): var o = { __iterator__: function() { return {}; } }; for (var j in o) {} Backtrace: ==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000b549 at pc 0x00000134d577 bp 0x7ffec8f38310 sp 0x7ffec8f38308 READ of size 1 at 0x60d00000b549 thread T0 #0 0x134d576 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char) js/src/jsopcode.cpp:1711:21 #1 0x12c2ded in DecompileExpressionFromStack(JSContext*, int, int, JS::Handle<JS::Value>, char**) js/src/jsopcode.cpp:2312:10 #2 0x12c2ded in js::DecompileValueGenerator(JSContext*, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, int) js/src/jsopcode.cpp:2325 #3 0x1139117 in js::ReportValueErrorFlags(JSContext*, unsigned int, unsigned int, int, JS::Handle<JS::Value>, JS::Handle<JSString*>, char const*, char const*) js/src/jscntxt.cpp:1021:13 #4 0x74c8ed in js::ReportIsNotFunction(JSContext*, JS::Handle<JS::Value>, int, js::MaybeConstruct) js/src/vm/Interpreter.cpp:281:5 #5 0x74c8ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:435 #6 0x74d842 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:512:10 #7 0x1273f0d in js::IteratorMore(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/jsiter.cpp:1458:10 #8 0x726678 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2153:10 [...] 0x60d00000b549 is located 35 bytes to the right of 134-byte region [0x60d00000b4a0,0x60d00000b526) allocated by thread T0 here: #0 0x515be8 in __interceptor_malloc compiler-rt/lib/asan/asan_malloc_linux.cc:52 #1 0x82293b in js_malloc(unsigned long) dist/include/js/Utility.h:229:12 #2 0x82293b in unsigned char* js_pod_malloc<unsigned char>(unsigned long) dist/include/js/Utility.h:420 #3 0x82293b in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:56 #4 0x82293b in unsigned char* js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:89 #5 0x132cd50 in js::SharedScriptData::new_(JSContext*, unsigned int, unsigned int, unsigned int) js/src/jsscript.cpp:2251:54 #6 0x132cd50 in JSScript::createScriptData(JSContext*, unsigned int, unsigned int, unsigned int) js/src/jsscript.cpp:2279 #7 0x132cd50 in JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) js/src/jsscript.cpp:2788 #8 0x14538a9 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) js/src/frontend/BytecodeEmitter.cpp:4923:10 #9 0x1452a9d in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) js/src/frontend/BytecodeCompiler.cpp:379:18 #10 0x1457de8 in BytecodeCompiler::compileGlobalScript(js::ScopeKind) js/src/frontend/BytecodeCompiler.cpp:408:12 #11 0x1457de8 in js::frontend::CompileGlobalScript(JSContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::SourceCompressionTask*, js::ScriptSourceObject**) js/src/frontend/BytecodeCompiler.cpp:602 #12 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:3993:16 #13 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, char16_t const*, unsigned long, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4002 #14 0x1164090 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, char const*, unsigned long, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4017 #15 0x11645d7 in Compile(JSContext*, JS::ReadOnlyCompileOptions const&, js::ScopeKind, _IO_FILE*, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4028:12 #16 0x11645d7 in JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, _IO_FILE*, JS::MutableHandle<JSScript*>) js/src/jsapi.cpp:4068 [...] SUMMARY: AddressSanitizer: heap-buffer-overflow js/src/jsopcode.cpp:1711:21 in (anonymous namespace)::ExpressionDecompiler::decompilePC(unsigned char*, unsigned char) Shadow bytes around the buggy address: 0x0c1a7fff9690: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a7fff96a0: 00 00 00 00 06 fa fa fa fa[fa]fa fa fa fa 00 00 0x0c1a7fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Marking s-s and sec-high based on crash with invalid read.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•7 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 2•7 years ago
|
||
This report seems to suggest that we freed the JSScript while the expression decompiler is reading the bytes. Also, I would expect the Rooting Analysis to catch these issues ahead.
Flags: needinfo?(sphink)
Flags: needinfo?(arai.unmht)
Comment 3•7 years ago
|
||
Sorry, I forgot to read "buffer-overflow". So this is not something caught by the rooting analysis.
Flags: needinfo?(sphink)
Assignee | ||
Comment 4•7 years ago
|
||
apparently we finally hit the `index >= size_t(parser.stackDepthAtPC(current))` case. (bug 1322019 comment #31) I'll revert the change.
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 5•7 years ago
|
||
surely we push a value before throwing an exception. https://dxr.mozilla.org/mozilla-central/rev/e1135c6fdc9bcd80d38f7285b269e030716dcb72/js/src/vm/Interpreter.cpp#2140-2142 > PUSH_NULL(); > ReservedRooted<JSObject*> obj(&rootObject0, ®S.sp[-2].toObject()); > if (!IteratorMore(cx, obj, REGS.stackHandleAt(-1)))
Assignee | ||
Comment 6•7 years ago
|
||
reverted the change to FindStartPC, with additional comment that points JSOP_MOREITER.
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Attachment #8842033 -
Flags: review?(nicolas.b.pierron)
Updated•7 years ago
|
Blocks: 1322019
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Comment 9•7 years ago
|
||
Comment on attachment 8842033 [details] [diff] [review] Handle the case that trying to decompile a value pushed by current bytecode. Review of attachment 8842033 [details] [diff] [review]: ----------------------------------------------------------------- Stealing as requested.
Attachment #8842033 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 10•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a20a634742e88d1f364987ddc8b9221bf6e4697 Bug 1343245 - Handle the case that trying to decompile a value pushed by current bytecode. r=jandem
Assignee | ||
Comment 11•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/5d5f51eff4380778908063d6fcd9bb9d73df1b11 Bug 1343245 followup - Add |jit-test| error:TypeError. r=bustage
Comment 12•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7a20a634742e https://hg.mozilla.org/mozilla-central/rev/5d5f51eff438
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•