Closed
Bug 1377857
Opened 7 years ago
Closed 7 years ago
Crash [@ js::GetObjectClass] with use-after-free using enableGeckoProfiling
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | verified |
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
Crash Data
The following testcase crashes on mozilla-central revision 4d3de12dcdc5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): enableGeckoProfiling(); var lfLogBuffer = ` function TestCase(eval, d, e, a) {} function f() {} function g(n, h) { var t = g(TestCase.toSource()); } g(80, f); `; loadFile(lfLogBuffer); function loadFile(lfVarx) { try { oomTest(function() { eval(lfVarx); }); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000a6b2ab in js::GetObjectClass (obj=<optimized out>) at js/src/jsfriendapi.h:623 #0 0x0000000000a6b2ab in js::GetObjectClass (obj=<optimized out>) at js/src/jsfriendapi.h:623 #1 js::IsProxy (obj=<optimized out>) at js/Proxy.h:366 #2 js::IsWrapper (obj=0x7ffff4691340) at js/src/jswrapper.h:339 #3 JSObject::is<js::WrapperObject> (this=0x7ffff4691340) at js/src/vm/WrapperObject.h:37 #4 js::UncheckedUnwrapWithoutExpose (wrapped=0x7ffff4691340) at js/src/proxy/Wrapper.cpp:357 #5 0x0000000000a13b1d in JSScript::scriptSourceUnwrap (this=this@entry=0x7ffff6966080) at js/src/jsscript.cpp:1061 #6 JSScript::scriptSource (this=this@entry=0x7ffff4692d30) at js/src/jsscript.cpp:1066 #7 0x00000000006a2292 in JSScript::filename (this=0x7ffff4692d30) at js/src/jsscript.h:1675 #8 MarkJitProfilerEvent (rt=0x7ffff695e000, script=0x7ffff4692d30, event=<optimized out>) at js/src/jit/Ion.cpp:531 #9 0x00000000006a97a1 in FinishInvalidationOf (addMarker=<optimized out>, ionScript=<optimized out>, script=<optimized out>, fop=0x7ffff6966080) at js/src/jit/Ion.cpp:3295 #10 js::jit::FinishInvalidation (fop=fop@entry=0x7ffff6966080, script=<optimized out>, addMarker=addMarker@entry=true) at js/src/jit/Ion.cpp:3305 #11 0x0000000000e63ac2 in JS::Zone::discardJitCode (this=0x7ffff4262000, fop=0x7ffff6966080, discardBaselineCode=discardBaselineCode@entry=false, addMarkers=addMarkers@entry=true) at js/src/gc/Zone.cpp:205 #12 0x0000000000c5c8d4 in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7ffffffec730, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4617 #13 0x00000000009affff in js::gc::GCRuntime::sweepTypeInformation (gc=0x7ffff695e5f8, fop=<optimized out>, zone=<optimized out>, budget=..., kind=<optimized out>) at js/src/jsgc.cpp:5541 #14 0x00000000009e3318 in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff695e5f8, budget=..., lock=...) at js/src/jsgc.cpp:5767 #15 0x00000000009e7af3 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695e5f8, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC, lock=...) at js/src/jsgc.cpp:6382 #16 0x00000000009e9024 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e5f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at js/src/jsgc.cpp:6667 #17 0x00000000009e9918 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e5f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at js/src/jsgc.cpp:6816 #18 0x00000000009e9caa in js::gc::GCRuntime::startGC (this=0x7ffff695e5f8, gckind=GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC, millis=0) at js/src/jsgc.cpp:6894 #19 0x00000000009e9fe2 in js::gc::GCRuntime::gcIfRequested (this=0x7ffff695e5f8) at js/src/jsgc.cpp:7092 #20 0x0000000000be62e8 in InvokeInterruptCallback (cx=0x7ffff694c000) at js/src/vm/Runtime.cpp:506 #21 0x000026a0a3ab7d55 in ?? () [...] #29 0x0000000000000000 in ?? () rax 0xfffe4b4b4b4b4b4b -480163195565237 rbx 0x7ffff4691340 140737293914944 rcx 0x3 3 rdx 0x7ffff6a00008 140737331068936 rsi 0x7ffff4692d30 140737293921584 rdi 0x7ffff4691340 140737293914944 rbp 0x7ffffffec590 140737488274832 rsp 0x7ffffffec560 140737488274784 r8 0x0 0 r9 0x7ffff6a00fd8 140737331072984 r10 0x7ffff6925004 140737330171908 r11 0x246 582 r12 0xbad0bad1 3134241489 r13 0xfffdffffffffffff -562949953421313 r14 0x7fffffffffff 140737488355327 r15 0xfff9800000000000 -1829587348619264 rip 0xa6b2ab <js::UncheckedUnwrapWithoutExpose(JSObject*)+59> => 0xa6b2ab <js::UncheckedUnwrapWithoutExpose(JSObject*)+59>: mov (%rax),%rax 0xa6b2ae <js::UncheckedUnwrapWithoutExpose(JSObject*)+62>: testb $0x10,0xa(%rax) This looks like a use-after-free so I'll mark it s-s for now. However, it uses gecko profiling, so it might turn out to be not exploitable without involving devtools.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•7 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/72f2cb8b917e user: Nicholas Nethercote date: Wed Jun 28 16:44:46 2017 -0700 summary: Bug 1329923 - Emit profiler markers for discarding Ion code. r=h4writer,njn. r=jandem,h4writer. This iteration took 279.451 seconds to run.
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 2•7 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 283debe8155a).
Nick, is bug 1329923 a likely regressor?
Blocks: 1329923
Flags: needinfo?(n.nethercote)
Comment 4•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3) > Nick, is bug 1329923 a likely regressor? It's likely, yes. I will take a look.
Assignee: nobody → n.nethercote
Flags: needinfo?(n.nethercote)
Comment 5•7 years ago
|
||
I backed out the patch from bug 1329923.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Comment 6•7 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla56
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•