Closed
Bug 1468375
Opened 6 years ago
Closed 6 years ago
Crash [@ JS::shadow::Realm::compartment] with evalInWorker and use-after-free
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1466387
People
(Reporter: decoder, Unassigned)
Details
(5 keywords, Whiteboard: [jsbugmon:update,bisect][fuzzblocker][adv-main62-])
Crash Data
The following testcase crashes on mozilla-central revision 6ecc24376875 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js): evalInWorker(` grayRoot().x = Object.create(null); gc(); grayRoot().s = wm; `); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x0000000000568283 in JS::shadow::Realm::compartment (this=<optimized out>) at dist/include/js/Realm.h:60 #1 JS::GetCompartmentForRealm (realm=<error reading variable: Cannot access memory at address 0x4b4b4b4b4b4b4b5b>) at dist/include/js/Realm.h:73 #2 js::ObjectGroup::compartment (this=0x4b4b4b4b4b4b4b4b) at js/src/vm/ObjectGroup.h:236 #3 JSObject::compartment (this=0x7ffff45110a0) at js/src/vm/JSObject.h:163 #4 js::CompartmentChecker::check (obj=0x7ffff45110a0, this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:66 #5 js::CompartmentChecker::check (v=..., this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:116 #6 js::CompartmentChecker::check<JS::Value> (handle=..., this=<synthetic pointer>) at js/src/vm/JSContext-inl.h:82 #7 js::assertSameCompartment<JS::MutableHandle<JS::Value> > (t1=..., cx=0x7ffff491a000) at js/src/vm/JSContext-inl.h:200 #8 js::CallJSNative (args=..., native=0x451c70 <EnsureGrayRoot(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff491a000) at js/src/vm/JSContext-inl.h:276 #9 js::InternalCallOrConstruct (cx=0x7ffff491a000, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:471 #10 0x00000000005630e8 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:526 #11 Interpret (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:3122 #12 0x000000000056785a in js::RunScript (cx=0x7ffff491a000, state=...) at js/src/vm/Interpreter.cpp:421 #13 0x0000000000569ed6 in js::ExecuteKernel (result=0x7ffff48fede0, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0x7ffff491a000) at js/src/vm/Interpreter.cpp:704 #14 js::Execute (cx=0x7ffff491a000, script=..., envChainArg=..., rval=0x7ffff48fede0) at js/src/vm/Interpreter.cpp:737 #15 0x000000000088c8fe in JS_ExecuteScript (cx=cx@entry=0x7ffff491a000, scriptArg=scriptArg@entry=..., rval=rval@entry=...) at js/src/jsapi.cpp:4764 #16 0x000000000046246d in WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3634 #17 0x0000000000468e7a in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff5f18110) at js/src/threading/Thread.h:242 #18 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff5f18110) at js/src/threading/Thread.h:235 #19 0x00007ffff7bc16ba in start_thread (arg=0x7ffff48ff700) at pthread_create.c:333 #20 0x00007ffff6c3141d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x1 1 rbx 0x7ffff491a000 140737296572416 rcx 0xfffe000000000000 -562949953421312 rdx 0x4b4b4b4b4b4b4b4b 5425512962855750475 rsi 0x7ffff45110a0 140737292341408 rdi 0x7ffff49d1dc0 140737297325504 rbp 0x7ffff48fe770 140737296459632 rsp 0x7ffff48fe590 140737296459152 r8 0x88 136 r9 0x200000 2097152 r10 0xfffdffffffffffff -562949953421313 r11 0x7ffff49d1dc0 140737297325504 r12 0xfffe000000000000 -562949953421312 r13 0x451c70 4529264 r14 0xfffb000000000000 -1407374883553280 r15 0x7ffff491a000 140737296572416 rip 0x568283 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1987> => 0x568283 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1987>: mov 0x10(%rdx),%rdx 0x568287 <js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)+1991>: mov (%rdx),%rsi Marking s-s and sec-high based on crash address. This is also super-frequent, so marking as fuzzblocker.
Reporter | ||
Comment 1•6 years ago
|
||
Likely a duplicate to bug 1466387, it spiked heavily the last two days but seems to be fixed now.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Updated•6 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [jsbugmon:update,bisect][fuzzblocker][adv-main62-]
Updated•6 years ago
|
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → fixed
Updated•5 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•