Closed Bug 1468375 Opened 6 years ago Closed 6 years ago

Crash [@ JS::shadow::Realm::compartment] with evalInWorker and use-after-free

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1466387
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- fixed
firefox62 --- fixed

People

(Reporter: decoder, Unassigned)

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker][adv-main62-])

Crash Data

The following testcase crashes on mozilla-central revision 6ecc24376875 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js):

evalInWorker(`
  grayRoot().x = Object.create(null);
  gc();
  grayRoot().s = wm;
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000000000568283 in JS::shadow::Realm::compartment (this=<optimized out>) at dist/include/js/Realm.h:60
#1  JS::GetCompartmentForRealm (realm=<error reading variable: Cannot access memory at address 0x4b4b4b4b4b4b4b5b>) at dist/include/js/Realm.h:73
#2  js::ObjectGroup::compartment (this=0x4b4b4b4b4b4b4b4b) at js/src/vm/ObjectGroup.h:236
#3  JSObject::compartment (this=0x7ffff45110a0) at js/src/vm/JSObject.h:163
#4  js::CompartmentChecker::check (obj=0x7ffff45110a0, this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:66
#5  js::CompartmentChecker::check (v=..., this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:116
#6  js::CompartmentChecker::check<JS::Value> (handle=..., this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:82
#7  js::assertSameCompartment<JS::MutableHandle<JS::Value> > (t1=..., cx=0x7ffff491a000) at js/src/vm/JSContext-inl.h:200
#8  js::CallJSNative (args=..., native=0x451c70 <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff491a000) at js/src/vm/JSContext-inl.h:276
#9  js::InternalCallOrConstruct (cx=0x7ffff491a000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:471
#10 0x00000000005630e8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:526
#11 Interpret (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:3122
#12 0x000000000056785a in js::RunScript (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:421
#13 0x0000000000569ed6 in js::ExecuteKernel (result=0x7ffff48fede0, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff491a000) at js/src/vm/Interpreter.cpp:704
#14 js::Execute (cx=0x7ffff491a000, script=..., envChainArg=..., rval=0x7ffff48fede0) at js/src/vm/Interpreter.cpp:737
#15 0x000000000088c8fe in JS_ExecuteScript (cx=cx@entry=0x7ffff491a000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4764
#16 0x000000000046246d in WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3634
#17 0x0000000000468e7a in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff5f18110) at js/src/threading/Thread.h:242
#18 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff5f18110) at js/src/threading/Thread.h:235
#19 0x00007ffff7bc16ba in start_thread (arg=0x7ffff48ff700) at pthread_create.c:333
#20 0x00007ffff6c3141d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x1	1
rbx	0x7ffff491a000	140737296572416
rcx	0xfffe000000000000	-562949953421312
rdx	0x4b4b4b4b4b4b4b4b	5425512962855750475
rsi	0x7ffff45110a0	140737292341408
rdi	0x7ffff49d1dc0	140737297325504
rbp	0x7ffff48fe770	140737296459632
rsp	0x7ffff48fe590	140737296459152
r8	0x88	136
r9	0x200000	2097152
r10	0xfffdffffffffffff	-562949953421313
r11	0x7ffff49d1dc0	140737297325504
r12	0xfffe000000000000	-562949953421312
r13	0x451c70	4529264
r14	0xfffb000000000000	-1407374883553280
r15	0x7ffff491a000	140737296572416
rip	0x568283 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1987>
=> 0x568283 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1987>:	mov    0x10(%rdx),%rdx
   0x568287 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1991>:	mov    (%rdx),%rsi



Marking s-s and sec-high based on crash address. This is also super-frequent, so marking as fuzzblocker.
Likely a duplicate to bug 1466387, it spiked heavily the last two days but seems to be fixed now.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect][fuzzblocker][adv-main62-]
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.