Closed Bug 1402836 Opened 4 years ago Closed 4 years ago

Intermittent AddressSanitizer: heap-use-after-free in LinkedList.h:245:18 in remove during js/src/jit-test/tests/basic/cooperative-threading.js

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

57 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox57 --- disabled
firefox58 --- fixed

People

(Reporter: RyanVM, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, csectype-uaf, testcase)

Attachments

(1 file)

Jan, can you help redirect this to an appropriate owner? Thanks!

https://treeherder.mozilla.org/logviewer.html#?job_id=133039528&repo=mozilla-beta&lineNumber=8985

TEST-PASS | js/src/jit-test/tests/basic/cross-global-for-in.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off") [0.3 s]
=================================================================
==86675==ERROR: AddressSanitizer: heap-use-after-free on address 0x61600002eec8 at pc 0x000000585043 bp 0x7ffff1808970 sp 0x7ffff1808968
WRITE of size 8 at 0x61600002eec8 thread T16
    #0 0x585042 in remove /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/LinkedList.h:245:18
    #1 0x585042 in ~LinkedListElement /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/LinkedList.h:198
    #2 0x585042 in js::shell::ShellContext::~ShellContext() /builds/worker/workspace/build/src/js/src/shell/jsshell.h:171
    #3 0x56ca44 in js_delete<js::shell::ShellContext> /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:390:13
    #4 0x56ca44 in operator() /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:492
    #5 0x56ca44 in reset /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/UniquePtr.h:343
    #6 0x56ca44 in ~UniquePtr /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/UniquePtr.h:288
    #7 0x56ca44 in WorkerMain(void*) /builds/worker/workspace/build/src/js/src/shell/js.cpp:3539
    #8 0x56cf25 in callMain<0> /builds/worker/workspace/build/src/js/src/threading/Thread.h:234:5
    #9 0x56cf25 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start(void*) /builds/worker/workspace/build/src/js/src/threading/Thread.h:227
    #10 0x7ffff7bc6aa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)
    #11 0x7ffff64a6bcc in clone (/lib64/libc.so.6+0xe8bcc)

0x61600002eec8 is located 72 bytes inside of 520-byte region [0x61600002ee80,0x61600002f088)
freed by thread T15 here:
    #0 0x4ea44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x56ca4c in js_free /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:264:5
    #2 0x56ca4c in js_delete<js::shell::ShellContext> /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:391
    #3 0x56ca4c in operator() /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:492
    #4 0x56ca4c in reset /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/UniquePtr.h:343
    #5 0x56ca4c in ~UniquePtr /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/UniquePtr.h:288
    #6 0x56ca4c in WorkerMain(void*) /builds/worker/workspace/build/src/js/src/shell/js.cpp:3539
    #7 0x56cf25 in callMain<0> /builds/worker/workspace/build/src/js/src/threading/Thread.h:234:5
    #8 0x56cf25 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start(void*) /builds/worker/workspace/build/src/js/src/threading/Thread.h:227
    #9 0x7ffff7bc6aa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)

previously allocated by thread T15 here:
    #0 0x4ea79c in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x56be95 in js_malloc /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:236:12
    #2 0x56be95 in js_new<js::shell::ShellContext, JSContext *&> /builds/worker/workspace/build/src/obj-spider/dist/include/js/Utility.h:353
    #3 0x56be95 in MakeUnique<js::shell::ShellContext, JSContext *&> /builds/worker/workspace/build/src/obj-spider/dist/include/js/UniquePtr.h:48
    #4 0x56be95 in WorkerMain(void*) /builds/worker/workspace/build/src/js/src/shell/js.cpp:3470
    #5 0x56cf25 in callMain<0> /builds/worker/workspace/build/src/js/src/threading/Thread.h:234:5
    #6 0x56cf25 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start(void*) /builds/worker/workspace/build/src/js/src/threading/Thread.h:227
    #7 0x7ffff7bc6aa0 in start_thread (/lib64/libpthread.so.0+0x7aa0)

Thread T16 created by T0 here:
    #0 0x4d2b76 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x162354d in js::Thread::create(void* (*)(void*), void*) /builds/worker/workspace/build/src/js/src/threading/posix/Thread.cpp:104:7
    #2 0x56bc33 in bool js::Thread::init<void (&)(void*), WorkerInput*&>(void (&)(void*), WorkerInput*&) /builds/worker/workspace/build/src/js/src/threading/Thread.h:117:12
    #3 0x56b4bd in EvalInThread(JSContext*, unsigned int, JS::Value*, bool) /builds/worker/workspace/build/src/js/src/shell/js.cpp:3632:29
    #4 0x7f0624 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #5 0x7f0624 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #6 0xa42f15 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2589:14
    #7 0x2bc5c67c3aef  (<unknown module>)
    #8 0x62100029fa1f  (<unknown module>)
    #9 0x2bc5c67b8732  (<unknown module>)

Thread T15 created by T0 here:
    #0 0x4d2b76 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x162354d in js::Thread::create(void* (*)(void*), void*) /builds/worker/workspace/build/src/js/src/threading/posix/Thread.cpp:104:7
    #2 0x56bc33 in bool js::Thread::init<void (&)(void*), WorkerInput*&>(void (&)(void*), WorkerInput*&) /builds/worker/workspace/build/src/js/src/threading/Thread.h:117:12
    #3 0x56b4bd in EvalInThread(JSContext*, unsigned int, JS::Value*, bool) /builds/worker/workspace/build/src/js/src/shell/js.cpp:3632:29
    #4 0x7f0624 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #5 0x7f0624 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #6 0xa42f15 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2589:14
    #7 0x2bc5c67c3aef  (<unknown module>)
    #8 0x62100029f85f  (<unknown module>)
    #9 0x2bc5c67b8732  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-spider/dist/include/mozilla/LinkedList.h:245:18 in remove
Shadow bytes around the buggy address:
  0x0c2c7fffdd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffdd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffdda0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffddb0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c7fffddd0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c2c7fffdde0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffddf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffde00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fffde10: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffde20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==86675==ABORTING
Exit code: 1
FAIL - basic/cooperative-threading.js
Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
This is when running cooperative-threading.js so it's probably an issue with cooperative scheduling.
Flags: needinfo?(bhackett1024)
Priority: -- → P2
Attached patch patchSplinter Review
Sorry for the delay.  This is a shell only problem where worker threads are destroying their ShellContexts after they have yielded and are no longer the active cooperative thread for their runtime.  ShellContext includes linked list elements threaded through the runtime (via PersistentRooted) so these threads will race each other (and the main thread) when shutting down.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8917343 - Flags: review?(jdemooij)
Attachment #8917343 - Flags: review?(jdemooij) → review+
Comment on attachment 8917343 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

This bug only affects the JS shell.
Attachment #8917343 - Flags: sec-approval?
Comment on attachment 8917343 [details] [diff] [review]
patch

I'm open to a discussion on whether sec-approval applies to JSShell only bugs if they can't affect the browser but I'll give s-a+ no matter what to this.
Attachment #8917343 - Flags: sec-approval? → sec-approval+
Shell-only. Unhiding.
Group: javascript-core-security
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/8adc032add4e
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.