Closed
Bug 1417898
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-buffer-overflow [@ JS::Value::toTag] with READ of size 8 with async star function
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1415883
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main58-])
The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe): var lfOffThreadGlobal = newGlobal(); async function* f() { yield {}; } var x = f(); x.next(); for (lfLocal in this) lfOffThreadGlobal[lfLocal] = this[lfLocal]; x.next(); x.next(); x.next(); schedulegc(100); x.next(); x.next(-Math.PI / 4); x.next(); Backtrace: ==28891==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000012e40 at pc 0x00000059f120 bp 0x7ffeaf53c2b0 sp 0x7ffeaf53c2a8 READ of size 8 at 0x606000012e40 thread T0 #0 0x59f11f in JS::Value::toTag() const dist/include/js/Value.h:437:32 #1 0x59f11f in JS::Value::isString() const dist/include/js/Value.h:512 #2 0x59f11f in _ZN2js13DispatchTypedINS_17PreBarrierFunctorIN2JS5ValueEEEJEEEDTclfp_scP8JSObjectLDnEspclsr7mozillaE7ForwardIT0_Efp1_EEET_RKS3_DpOS7_ dist/include/js/Value.h:1431 #3 0x1741ea9 in js::InternalBarrierMethods<JS::Value>::preBarrier(JS::Value const&) js/src/gc/Barrier.h:283:9 #4 0x1741ea9 in js::WriteBarrieredBase<JS::Value>::pre() js/src/gc/Barrier.h:374 #5 0x1741ea9 in js::HeapSlot::~HeapSlot() js/src/gc/Barrier.h:678 #6 0x1741ea9 in js::NativeObject::prepareElementRangeForOverwrite(unsigned long, unsigned long) js/src/vm/NativeObject.h:1007 #7 0x1741ea9 in js::NativeObject::setDenseInitializedLengthUnchecked(unsigned int) js/src/vm/NativeObject.h:1179 #8 0x1741ea9 in js::NativeObject::setDenseInitializedLength(unsigned int) js/src/vm/NativeObject.h:1196 #9 0x1741ea9 in js::AsyncGeneratorRequest* js::ShiftFromList<js::AsyncGeneratorRequest>(JSContext*, JS::Handle<js::NativeObject*>) js/src/vm/List-inl.h:62 #10 0x173293c in js::AsyncGeneratorObject::dequeueRequest(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/vm/AsyncIteration.cpp:373:12 #11 0x8fbde4 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2769:13 #12 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #13 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #14 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #15 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #16 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #17 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #18 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #19 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #20 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #21 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #22 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12 #23 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504 #24 0x8fd64c in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2918:12 #25 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #26 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12 #27 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504 #28 0x9b38f3 in AsyncGeneratorPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>, JS::MutableHandle<JS::Value>) js/src/builtin/Promise.cpp:1122:14 #29 0x9b38f3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) js/src/builtin/Promise.cpp:1201 #30 0x7f1ac3 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:291:15 [...] 0x606000012e40 is located 0 bytes to the right of 64-byte region [0x606000012e00,0x606000012e40) allocated by thread T0 here: #0 0x50411d in __interceptor_realloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71 #1 0x13c7b52 in js_realloc(void*, unsigned long) dist/include/js/Utility.h:406:12 #2 0x13c7b52 in unsigned char* js_pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) dist/include/js/Utility.h:594 #3 0x13c7b52 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) js/src/vm/MallocProvider.h:70 #4 0x13c7b52 in unsigned char* js::MallocProvider<JS::Zone>::pod_realloc<unsigned char>(unsigned char*, unsigned long, unsigned long) js/src/vm/MallocProvider.h:173 #5 0x1f98693 in js::Nursery::reallocateBuffer(JSObject*, void*, unsigned long, unsigned long) js/src/gc/Nursery.cpp:403:16 #6 0x18eea2a in js::HeapSlot* js::ReallocateObjectBuffer<js::HeapSlot>(JSContext*, JSObject*, js::HeapSlot*, unsigned int, unsigned int) js/src/gc/Nursery-inl.h:135:34 #7 0x18eea2a in js::NativeObject::shrinkElements(JSContext*, unsigned int) js/src/vm/NativeObject.cpp:1028 #8 0x1741d6f in js::AsyncGeneratorRequest* js::ShiftFromList<js::AsyncGeneratorRequest>(JSContext*, JS::Handle<js::NativeObject*>) js/src/vm/List-inl.h:59:9 #9 0x173293c in js::AsyncGeneratorObject::dequeueRequest(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/vm/AsyncIteration.cpp:373:12 #10 0x8fbde4 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2769:13 #11 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #12 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #13 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #14 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #15 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #16 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #17 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #18 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #19 0x8fcfa4 in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2890:16 #20 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #21 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12 #22 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504 #23 0x8fd64c in AsyncGeneratorResumeNext(JSContext*, JS::Handle<js::AsyncGeneratorObject*>) js/src/builtin/Promise.cpp:2918:12 #24 0x8fc247 in js::AsyncGeneratorResolve(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>, bool) js/src/builtin/Promise.cpp:2790:10 #25 0x172fa13 in AsyncGeneratorReturned(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:416:12 #26 0x172fa13 in js::AsyncGeneratorResume(JSContext*, JS::Handle<js::AsyncGeneratorObject*>, js::CompletionKind, JS::Handle<JS::Value>) js/src/vm/AsyncIteration.cpp:504 #27 0x9b38f3 in AsyncGeneratorPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>, JS::MutableHandle<JS::Value>) js/src/builtin/Promise.cpp:1122:14 #28 0x9b38f3 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) js/src/builtin/Promise.cpp:1201 #29 0x7f1ac3 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:291:15 [...] SUMMARY: AddressSanitizer: heap-buffer-overflow dist/include/js/Value.h:437:32 in JS::Value::toTag() const Shadow bytes around the buggy address: 0x0c0c7fffa5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c0c7fffa5c0: 00 00 00 00 00 00 00 00[fa]fa fa fa 00 00 00 00 0x0c0c7fffa5d0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Heap left redzone: fa Found this after fixing the LangFuzz grammar for async/star function support. Obviously s-s.
Comment 1•7 years ago
|
||
This is bug 1415883.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 2•6 years ago
|
||
Mark 58/59 fixed as they were fixed in bug 1415883.
status-firefox59:
--- → fixed
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main58-]
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•