1377857 - Crash [@ js::GetObjectClass] with use-after-free using enableGeckoProfiling

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 4d3de12dcdc5 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

enableGeckoProfiling();
var lfLogBuffer = `
function TestCase(eval, d, e, a) {}
function f() {}
function g(n, h) {
    var t = g(TestCase.toSource());
}
g(80, f);
`;
loadFile(lfLogBuffer);
function loadFile(lfVarx) {
    try {
        oomTest(function() {
            eval(lfVarx);
        });
    } catch (lfVare) {}
}



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000a6b2ab in js::GetObjectClass (obj=<optimized out>) at js/src/jsfriendapi.h:623
#0  0x0000000000a6b2ab in js::GetObjectClass (obj=<optimized out>) at js/src/jsfriendapi.h:623
#1  js::IsProxy (obj=<optimized out>) at js/Proxy.h:366
#2  js::IsWrapper (obj=0x7ffff4691340) at js/src/jswrapper.h:339
#3  JSObject::is<js::WrapperObject> (this=0x7ffff4691340) at js/src/vm/WrapperObject.h:37
#4  js::UncheckedUnwrapWithoutExpose (wrapped=0x7ffff4691340) at js/src/proxy/Wrapper.cpp:357
#5  0x0000000000a13b1d in JSScript::scriptSourceUnwrap (this=this@entry=0x7ffff6966080) at js/src/jsscript.cpp:1061
#6  JSScript::scriptSource (this=this@entry=0x7ffff4692d30) at js/src/jsscript.cpp:1066
#7  0x00000000006a2292 in JSScript::filename (this=0x7ffff4692d30) at js/src/jsscript.h:1675
#8  MarkJitProfilerEvent (rt=0x7ffff695e000, script=0x7ffff4692d30, event=<optimized out>) at js/src/jit/Ion.cpp:531
#9  0x00000000006a97a1 in FinishInvalidationOf (addMarker=<optimized out>, ionScript=<optimized out>, script=<optimized out>, fop=0x7ffff6966080) at js/src/jit/Ion.cpp:3295
#10 js::jit::FinishInvalidation (fop=fop@entry=0x7ffff6966080, script=<optimized out>, addMarker=addMarker@entry=true) at js/src/jit/Ion.cpp:3305
#11 0x0000000000e63ac2 in JS::Zone::discardJitCode (this=0x7ffff4262000, fop=0x7ffff6966080, discardBaselineCode=discardBaselineCode@entry=false, addMarkers=addMarkers@entry=true) at js/src/gc/Zone.cpp:205
#12 0x0000000000c5c8d4 in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7ffffffec730, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4617
#13 0x00000000009affff in js::gc::GCRuntime::sweepTypeInformation (gc=0x7ffff695e5f8, fop=<optimized out>, zone=<optimized out>, budget=..., kind=<optimized out>) at js/src/jsgc.cpp:5541
#14 0x00000000009e3318 in js::gc::GCRuntime::performSweepActions (this=this@entry=0x7ffff695e5f8, budget=..., lock=...) at js/src/jsgc.cpp:5767
#15 0x00000000009e7af3 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff695e5f8, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC, lock=...) at js/src/jsgc.cpp:6382
#16 0x00000000009e9024 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff695e5f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at js/src/jsgc.cpp:6667
#17 0x00000000009e9918 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff695e5f8, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::TOO_MUCH_MALLOC) at js/src/jsgc.cpp:6816
#18 0x00000000009e9caa in js::gc::GCRuntime::startGC (this=0x7ffff695e5f8, gckind=GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC, millis=0) at js/src/jsgc.cpp:6894
#19 0x00000000009e9fe2 in js::gc::GCRuntime::gcIfRequested (this=0x7ffff695e5f8) at js/src/jsgc.cpp:7092
#20 0x0000000000be62e8 in InvokeInterruptCallback (cx=0x7ffff694c000) at js/src/vm/Runtime.cpp:506
#21 0x000026a0a3ab7d55 in ?? ()
[...]
#29 0x0000000000000000 in ?? ()
rax	0xfffe4b4b4b4b4b4b	-480163195565237
rbx	0x7ffff4691340	140737293914944
rcx	0x3	3
rdx	0x7ffff6a00008	140737331068936
rsi	0x7ffff4692d30	140737293921584
rdi	0x7ffff4691340	140737293914944
rbp	0x7ffffffec590	140737488274832
rsp	0x7ffffffec560	140737488274784
r8	0x0	0
r9	0x7ffff6a00fd8	140737331072984
r10	0x7ffff6925004	140737330171908
r11	0x246	582
r12	0xbad0bad1	3134241489
r13	0xfffdffffffffffff	-562949953421313
r14	0x7fffffffffff	140737488355327
r15	0xfff9800000000000	-1829587348619264
rip	0xa6b2ab <js::UncheckedUnwrapWithoutExpose(JSObject*)+59>
=> 0xa6b2ab <js::UncheckedUnwrapWithoutExpose(JSObject*)+59>:	mov    (%rax),%rax
   0xa6b2ae <js::UncheckedUnwrapWithoutExpose(JSObject*)+62>:	testb  $0x10,0xa(%rax)


This looks like a use-after-free so I'll mark it s-s for now. However, it uses gecko profiling, so it might turn out to be not exploitable without involving devtools.

Comment 1

[Fuzzing Team]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/72f2cb8b917e
user:        Nicholas Nethercote
date:        Wed Jun 28 16:44:46 2017 -0700
summary:     Bug 1329923 - Emit profiler markers for discarding Ion code. r=h4writer,njn.  r=jandem,h4writer.

This iteration took 279.451 seconds to run.

Comment 2

[Fuzzing Team]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 283debe8155a).

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Nick, is bug 1329923 a likely regressor?

Comment 4

[Nicholas Nethercote [inactive]]

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3)
> Nick, is bug 1329923 a likely regressor?

It's likely, yes. I will take a look.

Comment 5

[Nicholas Nethercote [inactive]]

I backed out the patch from bug 1329923.

Comment 6

[Fuzzing Team]

JSBugMon: This bug has been automatically verified fixed.