Closed
Bug 1418966
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-use-after-free [@ js::TypeSet::unknown] with READ of size 4
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(6 keywords, Whiteboard: [jsbugmon:update,bisect][adv-main58+][post-critsmash-triage])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
12.27 KB,
patch
|
bhackett1024
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fc194660762d+ (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --baseline-eager):
Object.defineProperty(this, "fuzzutils", {
value:{
newGlobal: newGlobal,
}
});
var lfOffThreadGlobal = newGlobal();
eval(`
gczeal(17);
newGlobal = function(o) {
let g = fuzzutils.newGlobal(o);
return g;
}
evaluate(\`
var evalInFrame = (function (global) {
var dbgGlobal = newGlobal();
var dbg = new dbgGlobal.Debugger();
return function evalInFrame(upCount, code) {
dbg.addDebuggee(global);
var frame = dbg.getNewestFrame().older;
for (var i = 0; i < upCount; i++)
if (!frame.older)
break;
var completion = frame.eval(code);
if (completion.return) {
if (typeof v === "object")
v = v.unsafeDereference();
}
};
})(this);
\`)
this.__defineGetter__("someProperty", function () {
evalInFrame(1, "var x = 'success'");
});
try { evaluate("}"); } catch(exc) {}
try {
Object.defineProperty(this, "fuzzutils", {
value:{}
});
} catch(exc) {
for (lfLocal in this)
lfOffThreadGlobal[lfLocal] = this[lfLocal];
}
`);
Backtrace:
==9432==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000008bb0 at pc 0x000000a8ee57 bp 0x7ffe890618b0 sp 0x7ffe890618a8
READ of size 4 at 0x614000008bb0 thread T0
#0 0xa8ee56 in js::TypeSet::unknown() const js/src/vm/TypeInference.h:406:38
#1 0xa8ee56 in js::TypeSet::hasType(js::TypeSet::Type) const js/src/vm/TypeInference-inl.h:939
#2 0xa8ee56 in js::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, js::StackTypeSet*, JS::Value const&) js/src/vm/TypeInference-inl.h:608
#3 0xa11a8a in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:800:9
#4 0x1d1bd97f727f (<unknown module>)
0x614000008bb0 is located 368 bytes inside of 416-byte region [0x614000008a40,0x614000008be0)
freed by thread T0 here:
#0 0x503a30 in __interceptor_free /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38
#1 0x1aff8d5 in js_free(void*) dist/include/js/Utility.h:414:5
#2 0x1aff8d5 in void js_delete<js::TypeScript>(js::TypeScript const*) dist/include/js/Utility.h:537
#3 0x1aff8d5 in js::TypeScript::destroy() js/src/vm/TypeInference.cpp:4479
#4 0x1aff8d5 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) js/src/vm/TypeInference.cpp:4448
#5 0x212750c in JSScript::types() js/src/vm/TypeInference-inl.h:1200:5
#6 0x212750c in JSScript::ensureHasTypes(JSContext*) js/src/vm/TypeInference-inl.h:1207
#7 0x212750c in js::jit::BaselineCompiler::compile() js/src/jit/BaselineCompiler.cpp:101
#8 0xa5abb8 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) js/src/jit/BaselineJIT.cpp:255:27
#9 0x21796ca in RecompileBaselineScriptForDebugMode(JSContext*, JSScript*, js::Debugger::IsObserving) js/src/jit/BaselineDebugModeOSR.cpp:678:27
#10 0x21796ca in js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) js/src/jit/BaselineDebugModeOSR.cpp:888
#11 0x1776a55 in js::Debugger::updateExecutionObservabilityOfFrames(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) js/src/vm/Debugger.cpp:2522:14
#12 0x174ce95 in js::Debugger::ensureExecutionObservabilityOfFrame(JSContext*, js::AbstractFramePtr) js/src/vm/Debugger.cpp:2749:12
#13 0x174ce95 in js::Debugger::getScriptFrameWithIter(JSContext*, js::AbstractFramePtr, js::FrameIter const*, JS::MutableHandle<js::DebuggerFrame*>) js/src/vm/Debugger.cpp:815
#14 0x17a2492 in js::Debugger::getScriptFrame(JSContext*, js::FrameIter const&, JS::MutableHandle<js::DebuggerFrame*>) js/src/vm/Debugger-inl.h:94:12
#15 0x17a2492 in js::DebuggerFrame::getOlder(JSContext*, JS::Handle<js::DebuggerFrame*>, JS::MutableHandle<js::DebuggerFrame*>) js/src/vm/Debugger.cpp:7694
#16 0x17b0626 in js::DebuggerFrame::olderGetter(JSContext*, unsigned int, JS::Value*) js/src/vm/Debugger.cpp:8382:10
#17 0x7f1ac3 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:291:15
#18 0x7f1ac3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:473
#19 0x7f3c82 in InternalCall(JSContext*, js::AnyInvokeArgs const&) js/src/vm/Interpreter.cpp:522:12
#20 0x7f3c82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:541
#21 0x7f3c82 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:656
#22 0x1908998 in CallGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.cpp:2117:16
#23 0x1908998 in bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) js/src/vm/NativeObject.cpp:2170
#24 0x1908998 in bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRooted<JS::Value, (js::AllowGC)1>::MutableHandleType) js/src/vm/NativeObject.cpp:2373
#25 0x1908998 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.cpp:2409
#26 0x1644025 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.h:1607:12
#27 0x1644025 in js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const js/src/proxy/Wrapper.cpp:154
#28 0x15f0983 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const js/src/proxy/CrossCompartmentWrapper.cpp:226:14
#29 0x161f64f in js::Proxy::getInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp:352:12
#30 0x161f64f in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/proxy/Proxy.cpp:362
#31 0x7fca03 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.h:1606:16
#32 0x7fca03 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) js/src/jsobj.h:805
#33 0x7fca03 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:4407
#34 0x105b551 in js::jit::ComputeGetPropResult(JSContext*, js::jit::BaselineFrame*, JSOp, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/SharedIC.cpp:1969:18
#35 0x105b551 in js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/SharedIC.cpp:2028
[...]
#38 0xdc794e in EnterJit(JSContext*, js::RunState&, unsigned char*) js/src/jit/Jit.cpp:99:9
#39 0xdc794e in js::jit::MaybeEnterJit(JSContext*, js::RunState&) js/src/jit/Jit.cpp:162
#40 0x7c1e8c in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:408:34
#41 0x7f1ed7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:495:15
#42 0xa2b781 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:2551:14
[...]
#46 0xdc794e in EnterJit(JSContext*, js::RunState&, unsigned char*) js/src/jit/Jit.cpp:99:9
#47 0xdc794e in js::jit::MaybeEnterJit(JSContext*, js::RunState&) js/src/jit/Jit.cpp:162
#48 0x7c1e8c in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:408:34
#49 0x7f1ed7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:495:15
#50 0x7f3c82 in InternalCall(JSContext*, js::AnyInvokeArgs const&) js/src/vm/Interpreter.cpp:522:12
#51 0x7f3c82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:541
#52 0x7f3c82 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:656
previously allocated by thread T0 here:
#0 0x503eec in __interceptor_calloc /srv/repos/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66
#1 0x15a023b in js_calloc(unsigned long) dist/include/js/Utility.h:389:12
#2 0x15a023b in unsigned char* js_pod_calloc<unsigned char>(unsigned long) dist/include/js/Utility.h:583
#3 0x15a023b in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_calloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:62
#4 0x15a023b in unsigned char* js::MallocProvider<JS::Zone>::pod_calloc<unsigned char>(unsigned long) js/src/vm/MallocProvider.h:132
#5 0x1aec8df in JSScript::makeTypes(JSContext*) js/src/vm/TypeInference.cpp:3376:9
#6 0x2127535 in JSScript::ensureHasTypes(JSContext*) js/src/vm/TypeInference-inl.h:1207:23
#7 0x2127535 in js::jit::BaselineCompiler::compile() js/src/jit/BaselineCompiler.cpp:101
#8 0xa5abb8 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) js/src/jit/BaselineJIT.cpp:255:27
#9 0xa5bac8 in CanEnterBaselineJIT(JSContext*, JS::Handle<JSScript*>, js::InterpreterFrame*) js/src/jit/BaselineJIT.cpp:299:12
#10 0xa5bac8 in js::jit::CanEnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp:352
#11 0xdc7095 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) js/src/jit/Jit.cpp:150:40
#12 0x7c1e8c in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:408:34
#13 0x7f4c4b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:706:15
#14 0x841cac in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:327:12
#15 0x8429da in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/builtin/Eval.cpp:438:12
#16 0xa2b6b0 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:2535:14
[...]
#20 0xdc794e in EnterJit(JSContext*, js::RunState&, unsigned char*) js/src/jit/Jit.cpp:99:9
[...]
#30 0x55071f in main js/src/shell/js.cpp:8987
SUMMARY: AddressSanitizer: heap-use-after-free js/src/vm/TypeInference.h:406:38 in js::TypeSet::unknown() const
Shadow bytes around the buggy address:
0x0c287fff9160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c287fff9170: fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa
0x0c287fff9180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Heap left redzone: fa
Freed heap region: fd
==9432==ABORTING
I'm marking this s-s because I want to confirm first that this is a Debugger-only problem (it seems to be an interaction between the baseline compiler and debugger). If it is, then we can probably open this up but otherwise this could be a severe bug.
|
||
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 2•7 years ago
|
||
I can reproduce this on Mac. It's unusually sensitive to small changes to the JS, but it does reproduce with --disable-optimize.
So here are the better stacks (maybe not necessary if you know the code well, though)
==67524==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000306a0 at pc 0x000103750638 bp 0x7ffeee2b04a0 sp 0x7ffeee2b0498
READ of size 4 at 0x6150000306a0 thread T0
#0 0x103750637 in js::TypeSet::unknown() const TypeInference.h:406
#1 0x10211fbf7 in js::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, js::StackTypeSet*, JS::Value const&) TypeInference-inl.h:939
#2 0x1020b0874 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) BaselineIC.cpp:800
#3 0x2bf1e36be9da (<unknown module>)
#4 0x2bf1e36b84e7 (<unknown module>)
#5 0x102655bf2 in EnterJit(JSContext*, js::RunState&, unsigned char*) Jit.cpp:99
#6 0x102654be6 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) Jit.cpp:163
#7 0x101c96cce in js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:408
#8 0x101cf3d52 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) Interpreter.cpp:706
#9 0x101d8c844 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) Eval.cpp:323
#10 0x101d8d085 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Eval.cpp:434
#11 0x1020d2b28 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) BaselineIC.cpp:2543
#12 0x2bf1e36be5aa (<unknown module>)
#13 0x621000279fd7 (<unknown module>)
#14 0x2bf1e36b84e7 (<unknown module>)
#15 0x102655bf2 in EnterJit(JSContext*, js::RunState&, unsigned char*) Jit.cpp:99
#16 0x102654be6 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) Jit.cpp:163
#17 0x101c96cce in js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:408
#18 0x101cf3d52 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) Interpreter.cpp:706
#19 0x101cf4b0c in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) Interpreter.cpp:738
#20 0x102e8d880 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) jsapi.cpp:4702
#21 0x102e8dce1 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) jsapi.cpp:4735
#22 0x101a2eb5d in RunFile(JSContext*, char const*, __sFILE*, bool) js.cpp:721
#23 0x101a2d99e in Process(JSContext*, char const*, bool, FileKind) js.cpp:1073
#24 0x1019964d6 in ProcessArgs(JSContext*, js::cli::OptionParser*) js.cpp:8208
#25 0x101962624 in Shell(JSContext*, js::cli::OptionParser*, char**) js.cpp:8577
#26 0x101957d46 in main js.cpp:9040
#27 0x101948af3 in start (js:x86_64+0x100001af3)
0x6150000306a0 is located 416 bytes inside of 464-byte region [0x615000030500,0x6150000306d0)
freed by thread T0 here:
#0 0x107e4c106 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59106)
#1 0x103b46d24 in js_free(void*) Utility.h:418
#2 0x103b42a60 in js::TypeScript::destroy() Utility.h:541
#3 0x103b42310 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) TypeInference.cpp:4448
#4 0x103188e8c in JSScript::types() TypeInference-inl.h:1200
#5 0x10368f6cf in JSScript::ensureHasTypes(JSContext*) TypeInference-inl.h:1207
#6 0x1044f1152 in js::jit::BaselineCompiler::compile() BaselineCompiler.cpp:101
#7 0x10210b175 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) BaselineJIT.cpp:255
#8 0x10454f768 in RecompileBaselineScriptForDebugMode(JSContext*, JSScript*, js::Debugger::IsObserving) BaselineDebugModeOSR.cpp:678
#9 0x10454cd48 in js::jit::RecompileOnStackBaselineScriptsForDebugMode(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) BaselineDebugModeOSR.cpp:888
#10 0x103502e9c in js::Debugger::updateExecutionObservabilityOfFrames(JSContext*, js::Debugger::ExecutionObservableSet const&, js::Debugger::IsObserving) Debugger.cpp:2521
#11 0x1034dc57d in js::Debugger::ensureExecutionObservabilityOfFrame(JSContext*, js::AbstractFramePtr) Debugger.cpp:2748
#12 0x1034db8d7 in js::Debugger::getScriptFrameWithIter(JSContext*, js::AbstractFramePtr, js::FrameIter const*, JS::MutableHandle<js::DebuggerFrame*>) Debugger.cpp:814
#13 0x1035440c3 in js::Debugger::getScriptFrame(JSContext*, js::FrameIter const&, JS::MutableHandle<js::DebuggerFrame*>) Debugger-inl.h:94
#14 0x103543cdb in js::DebuggerFrame::getOlder(JSContext*, JS::Handle<js::DebuggerFrame*>, JS::MutableHandle<js::DebuggerFrame*>) Debugger.cpp:7693
#15 0x1035514c8 in js::DebuggerFrame::olderGetter(JSContext*, unsigned int, JS::Value*) Debugger.cpp:8381
#16 0x101cef06c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) jscntxtinlines.h:291
#17 0x101cf0561 in InternalCall(JSContext*, js::AnyInvokeArgs const&) Interpreter.cpp:522
#18 0x101cf0846 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) Interpreter.cpp:541
#19 0x101cf2e1f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Interpreter.cpp:656
#20 0x103885ea6 in CallGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2120
#21 0x10380995f in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) NativeObject.cpp:2173
#22 0x101a28828 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) NativeObject.h:1616
#23 0x10335a110 in js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const Wrapper.cpp:154
#24 0x1032c5695 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const CrossCompartmentWrapper.cpp:226
#25 0x103321139 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) Proxy.cpp:352
#26 0x101a28620 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) NativeObject.h:1615
#27 0x101a27ff8 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) jsobj.h:804
#28 0x101cff0c6 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) Interpreter.cpp:4405
#29 0x1029bf37d in js::jit::ComputeGetPropResult(JSContext*, js::jit::BaselineFrame*, JSOp, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) SharedIC.cpp:1963
previously allocated by thread T0 here:
#0 0x107e4c4a0 in wrap_calloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x594a0)
#1 0x107d24cec in SystemMalloc::calloc(unsigned long, unsigned long) malloc_decls.h:38
#2 0x107d24b90 in DummyArenaAllocator<SystemMalloc>::moz_arena_calloc(unsigned long, unsigned long, unsigned long) malloc_decls.h:38
#3 0x107d24b64 in moz_arena_calloc malloc_decls.h:116
#4 0x1031e73f7 in js_calloc(unsigned long) Utility.h:393
#5 0x10325b58e in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_calloc<unsigned char>(unsigned long) Utility.h:587
#6 0x1031dd893 in unsigned char* js::MallocProvider<JS::Zone>::pod_calloc<unsigned char>(unsigned long) MallocProvider.h:132
#7 0x103b339c6 in JSScript::makeTypes(JSContext*) TypeInference.cpp:3376
#8 0x10368f6eb in JSScript::ensureHasTypes(JSContext*) TypeInference-inl.h:1207
#9 0x1044f1152 in js::jit::BaselineCompiler::compile() BaselineCompiler.cpp:101
#10 0x10210b175 in js::jit::BaselineCompile(JSContext*, JSScript*, bool) BaselineJIT.cpp:255
#11 0x10210bcb6 in CanEnterBaselineJIT(JSContext*, JS::Handle<JSScript*>, js::InterpreterFrame*) BaselineJIT.cpp:299
#12 0x10210c06d in js::jit::CanEnterBaselineMethod(JSContext*, js::RunState&) BaselineJIT.cpp:352
#13 0x102654b3d in js::jit::MaybeEnterJit(JSContext*, js::RunState&) Jit.cpp:151
#14 0x101c96cce in js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:408
#15 0x101cf3d52 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) Interpreter.cpp:706
#16 0x101d8c844 in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) Eval.cpp:323
#17 0x101d8d085 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) Eval.cpp:434
#18 0x1020d2b28 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) BaselineIC.cpp:2543
#19 0x2bf1e36be5aa (<unknown module>)
#20 0x621000279fd7 (<unknown module>)
#21 0x2bf1e36b84e7 (<unknown module>)
#22 0x102655bf2 in EnterJit(JSContext*, js::RunState&, unsigned char*) Jit.cpp:99
#23 0x102654be6 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) Jit.cpp:163
#24 0x101c96cce in js::RunScript(JSContext*, js::RunState&) Interpreter.cpp:408
#25 0x101cf3d52 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) Interpreter.cpp:706
#26 0x101cf4b0c in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) Interpreter.cpp:738
#27 0x102e8d880 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) jsapi.cpp:4702
#28 0x102e8dce1 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) jsapi.cpp:4735
#29 0x101a2eb5d in RunFile(JSContext*, char const*, __sFILE*, bool) js.cpp:721
|
|
||
Updated•7 years ago
|
Priority: -- → P1
|
||
Comment 4•7 years ago
|
||
I haven't reproduced this, but judging from the stacks (thanks!) this does look like a problem with how the debugger interacts with baseline compilation. As long as a script is baseline compiled its type array should never be deleted, but if a script's baseline script is recompiled for debug mode then there is a range of time when the types could be deleted: between the point where the old baseline script is cleared and where the new baseline script is installed.
This patch makes sure that at the beginning of the recompilation we don't clear the types during the ensureHasTypes call which the baseline compiler always makes. This will prevent the types from being cleared during compilation, as long as there isn't another major GC in the middle of compilation; such a GC is impossible because the baseline compiler uses AutoEnterAnalysis, which suppresses GC.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8934153 -
Flags: review?(jdemooij)
|
||
Comment 5•7 years ago
|
||
It sounds like this requires pretty specific interaction between debugging, compilation and GC, so I'm going to mark this as moderate.
Keywords: sec-high → sec-moderate
|
Assignee | |
Comment 6•7 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #4)
> I haven't reproduced this
I confirmed the patch fixes this locally, but the patch is a bit too ad-hoc IMO - how do we know there won't be another call to types() that discards the TypeScript? We're risking UAFs here so it's worth spending some more time on this - I'll try something today.
Flags: needinfo?(jimb) → needinfo?(jdemooij)
|
|
Assignee | |
Comment 7•7 years ago
|
||
This adds an AutoKeepTypeScripts RAII class to pin all TypeScripts in the current zone. I also made ensureHasTypes take a reference to this class.
Assignee: bhackett1024 → jdemooij
Attachment #8934153 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8934153 -
Flags: review?(jdemooij)
Flags: needinfo?(jdemooij)
Attachment #8934504 -
Flags: review?(bhackett1024)
|
|
||
Updated•7 years ago
|
Attachment #8934504 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 8•7 years ago
|
||
|
|
Assignee | |
Comment 9•7 years ago
|
||
Safe fix, let's uplift this to beta.
|
|
Assignee | |
Comment 10•7 years ago
|
||
Comment on attachment 8934504 [details] [diff] [review]
Patch
Approval Request Comment
[Feature/Bug causing the regression]: Old bug.
[User impact if declined]: Crashes when using debugger.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Not yet.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Very simple patch, does not affect behavior much.
[String changes made/needed]: None.
Attachment #8934504 -
Flags: approval-mozilla-beta?
|
||
Comment 11•7 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → wontfix
status-firefox-esr52:
--- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
||
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Comment on attachment 8934504 [details] [diff] [review]
Patch
Sec-mod, UAF, Beta58+
Attachment #8934504 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 13•7 years ago
|
||
| uplift | ||
|
||
Updated•7 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][adv-main58+]
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [jsbugmon:update,bisect][adv-main58+] → [jsbugmon:update,bisect][adv-main58+][post-critsmash-triage]
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•