1511412 - AddressSanitizer: heap-use-after-free [@ js::jit::CacheIRStubInfo::makesGCCalls] with READ of size 3

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision 58a0412e1557 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --disable-debug --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

Object.defineProperty(this, "fuzzutils", {
    value: {
        orig_evaluate: evaluate,
        evaluate: function(c) {
            return fuzzutils.orig_evaluate(c, {});
        },
    }
});
gczeal(21, 10);
fuzzutils.evaluate(`
  enableShellAllocationMetadataBuilder();
  function test() {}
`);


Backtrace:

==9086==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000008990 at pc 0x558a2a4e1d6a bp 0x7ffe61c2b5d0 sp 0x7ffe61c2b5c8
READ of size 3 at 0x604000008990 thread T0
    #0 0x558a2a4e1d69 in js::jit::CacheIRStubInfo::makesGCCalls() const js/src/jit/CacheIRCompiler.h:964:40
    #1 0x558a2a4e1d69 in js::jit::ICStub::makesGCCalls() const js/src/jit/BaselineIC.cpp:532
    #2 0x558a2a7aa2f7 in js::jit::ICStub::allocatedInFallbackSpace() const js/src/jit/BaselineIC.h:722:16
    #3 0x558a2a7aa2f7 in js::jit::ICScript::purgeOptimizedStubs(JS::Zone*) js/src/jit/BaselineJIT.cpp:1100
    #4 0x558a2a4a5470 in JS::Zone::discardJitCode(js::FreeOp*, bool, bool) js/src/gc/Zone.cpp:277:33
    #5 0x558a2a3d0ad0 in js::ReleaseAllJITCode(js::FreeOp*) js/src/gc/GC.cpp:8793:15
    #6 0x558a2991bf20 in JS::Realm::setAllocationMetadataBuilder(js::AllocationMetadataBuilder const*) js/src/vm/Realm.cpp:696:5
    #7 0x558a29b29064 in EnableShellAllocationMetadataBuilder(JSContext*, unsigned int, JS::Value*) js/src/builtin/TestingFunctions.cpp:2732:5
    #8 0x558a292de43e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:468:15
    #9 0x558a292de43e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:560
    #10 0x558a2a5172d6 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:3943:14
    #11 0x2238242cccf7  (<unknown module>)

0x604000008990 is located 0 bytes inside of 44-byte region [0x604000008990,0x6040000089bc)
freed by thread T0 here:
    #0 0x558a2911b8b8 in __interceptor_cfree.localalias.0 (/mnt/LangFuzz/work/builds/opt64asan/dist/bin/js+0x63d8b8)
    #1 0x558a2ab11dc4 in js_free(void*) dist/include/js/Utility.h:409:5
    #2 0x558a2ab11dc4 in JS::FreePolicy::operator()(void const*) dist/include/js/Utility.h:623
    #3 0x558a2ab11dc4 in mozilla::UniquePtr<js::jit::CacheIRStubInfo, JS::FreePolicy>::reset(js::jit::CacheIRStubInfo*) dist/include/mozilla/UniquePtr.h:343
    #4 0x558a2ab11dc4 in mozilla::UniquePtr<js::jit::CacheIRStubInfo, JS::FreePolicy>::~UniquePtr() dist/include/mozilla/UniquePtr.h:288
    #5 0x558a2ab11dc4 in js::jit::CacheIRStubKey::~CacheIRStubKey() js/src/jit/JitRealm.h:361
    #6 0x558a2ab11dc4 in mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> >::~HashMapEntry() dist/include/mozilla/HashTable.h:99
    #7 0x558a2ab11dc4 in mozilla::detail::HashTableEntry<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> > >::destroyStoredT() dist/include/mozilla/HashTable.h:1075
    #8 0x558a2ab11dc4 in mozilla::detail::HashTableEntry<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> > >::clearLive() dist/include/mozilla/HashTable.h:1130
    #9 0x558a2ab11dc4 in mozilla::detail::HashTable<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> >, mozilla::HashMap<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*>, js::jit::CacheIRStubKey, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::remove(mozilla::detail::HashTableEntry<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> > >&) dist/include/mozilla/HashTable.h:1915
    #10 0x558a2ab11dc4 in mozilla::detail::HashTable<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> >, mozilla::HashMap<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*>, js::jit::CacheIRStubKey, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::ModIterator::remove() dist/include/mozilla/HashTable.h:1432
    #11 0x558a2ab11dc4 in mozilla::detail::HashTable<mozilla::HashMapEntry<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*> >, mozilla::HashMap<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*>, js::jit::CacheIRStubKey, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::Enum::removeFront() dist/include/mozilla/HashTable.h:1530
    #12 0x558a2ab11dc4 in JS::GCHashMap<js::jit::CacheIRStubKey, js::ReadBarriered<js::jit::JitCode*>, js::jit::CacheIRStubKey, js::SystemAllocPolicy, js::jit::IcStubCodeMapGCPolicy<js::jit::CacheIRStubKey> >::sweep() dist/include/js/GCHashTable.h:81
    #13 0x558a2a3ac257 in js::gc::GCRuntime::sweepJitDataOnMainThread(js::FreeOp*) js/src/gc/GC.cpp:5883:26
    #14 0x558a2a3aee8a in js::gc::GCRuntime::beginSweepingSweepGroup(js::FreeOp*, js::SliceBudget&) js/src/gc/GC.cpp:6055:13
    #15 0x558a2a44671e in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) js/src/gc/GC.cpp:6715:29
    #16 0x558a2a447c27 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) js/src/gc/GC.cpp:6779:25
    #17 0x558a2a3ba59a in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) js/src/gc/GC.cpp:6955:26
    #18 0x558a2a3c0a10 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoGCSession&) js/src/gc/GC.cpp:7558:13
    #19 0x558a2a3c37bb in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/gc/GC.cpp:7914:14
    #20 0x558a2a3c7d69 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/gc/GC.cpp:8095:41
    #21 0x558a2a35fe6b in js::gc::GCRuntime::runDebugGC() js/src/gc/GC.cpp:8717:9
    #22 0x558a2a35f726 in js::gc::GCRuntime::gcIfNeededAtAllocation(JSContext*) js/src/gc/Allocator.cpp:336:9
    #23 0x558a2a3fadca in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) js/src/gc/Allocator.cpp:295:14
    #24 0x558a2a3fadca in js::Scope* js::Allocate<js::Scope, (js::AllowGC)1>(JSContext*) js/src/gc/Allocator.cpp:239
    #25 0x558a299705db in js::Scope::create(JSContext*, js::ScopeKind, JS::Handle<js::Scope*>, JS::Handle<js::Shape*>) js/src/vm/Scope.cpp:316:20
    #26 0x558a299705db in js::GlobalScope* js::Scope::create<js::GlobalScope>(JSContext*, js::ScopeKind, JS::Handle<js::Scope*>, JS::Handle<js::Shape*>, JS::MutableHandle<mozilla::UniquePtr<js::GlobalScope::Data, JS::DeletePolicy<js::GlobalScope::Data> > >) js/src/vm/Scope.cpp:328
    #27 0x558a299705db in js::GlobalScope::createWithData(JSContext*, js::ScopeKind, JS::MutableHandle<mozilla::UniquePtr<js::GlobalScope::Data, JS::DeletePolicy<js::GlobalScope::Data> > >) js/src/vm/Scope.cpp:991
    #28 0x558a299705db in js::GlobalScope::create(JSContext*, js::ScopeKind, JS::Handle<js::GlobalScope::Data*>) js/src/vm/Scope.cpp:979
    #29 0x558a2a2a6635 in js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*)::$_6::operator()(JSContext*, JS::Handle<js::Scope*>) const js/src/frontend/EmitterScope.cpp:879:16
    #30 0x558a2a2a6635 in bool js::frontend::EmitterScope::internScope<js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*)::$_6>(js::frontend::BytecodeEmitter*, js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*)::$_6) js/src/frontend/EmitterScope.cpp:361
    #31 0x558a2a2a6635 in bool js::frontend::EmitterScope::internBodyScope<js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*)::$_6>(js::frontend::BytecodeEmitter*, js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*)::$_6) js/src/frontend/EmitterScope.cpp:376
    #32 0x558a2a2a6635 in js::frontend::EmitterScope::enterGlobal(js::frontend::BytecodeEmitter*, js::frontend::GlobalSharedContext*) js/src/frontend/EmitterScope.cpp:881
    #33 0x558a2a223ba1 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) js/src/frontend/BytecodeEmitter.cpp:2359:27
    #34 0x558a2a28ffad in js::frontend::ScriptCompiler<char16_t>::compileScript(js::frontend::BytecodeCompiler&, JS::Handle<JSObject*>, js::frontend::SharedContext*) js/src/frontend/BytecodeCompiler.cpp:578:27
    #35 0x558a2a21f11c in JSScript* CreateGlobalScript<char16_t>(js::frontend::GlobalScriptInfo&, JS::SourceText<char16_t>&, js::ScriptSourceObject**) js/src/frontend/BytecodeCompiler.cpp:219:33
    #36 0x558a2a21f11c in js::frontend::CompileGlobalScript(js::frontend::GlobalScriptInfo&, JS::SourceText<char16_t>&, js::ScriptSourceObject**) js/src/frontend/BytecodeCompiler.cpp:232
    #37 0x558a2952c031 in bool CompileSourceBuffer<char16_t>(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, JS::MutableHandle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:70:16
    #38 0x558a2952c031 in JS::Compile(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<char16_t>&, JS::MutableHandle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:125
    #39 0x558a2918d0ce in Evaluate(JSContext*, unsigned int, JS::Value*) js/src/shell/js.cpp:2172:28
    #40 0x558a292de43e in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/vm/Interpreter.cpp:468:15
    #41 0x558a292de43e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:560
    #42 0x558a2a5172d6 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:3943:14
    #43 0x2238242cccf7  (<unknown module>)
    #44 0x621000372a87  (<unknown module>)
    #45 0x2238242c84de  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x558a2911ba78 in __interceptor_malloc (/mnt/LangFuzz/work/builds/opt64asan/dist/bin/js+0x63da78)
    #1 0x558a2a81caa1 in js_arena_malloc(unsigned long, unsigned long) dist/include/js/Utility.h:364:12
    #2 0x558a2a81caa1 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) dist/include/js/Utility.h:562
    #3 0x558a2a81caa1 in unsigned char* js_pod_malloc<unsigned char>(unsigned long) dist/include/js/Utility.h:569
    #4 0x558a2a81caa1 in js::jit::CacheIRStubInfo::New(js::jit::CacheKind, js::jit::ICStubEngine, bool, unsigned int, js::jit::CacheIRWriter const&) js/src/jit/CacheIRCompiler.cpp:1167
    #5 0x558a2b2c406e in js::jit::AttachBaselineCacheIRStub(JSContext*, js::jit::CacheIRWriter const&, js::jit::CacheKind, js::jit::BaselineCacheIRStubKind, JSScript*, js::jit::ICFallbackStub*, bool*) js/src/jit/BaselineCacheIRCompiler.cpp:2274:20
    #6 0x558a2a50959a in js::jit::DoGetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetProp_Fallback*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/BaselineIC.cpp:2868:31
    #7 0x2238242cce53  (<unknown module>)
    #8 0x2238242c84de  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free js/src/jit/CacheIRCompiler.h:964:40 in js::jit::CacheIRStubInfo::makesGCCalls() const
Shadow bytes around the buggy address:
  0x0c087fff90e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
  0x0c087fff90f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9100: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
  0x0c087fff9110: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
  0x0c087fff9120: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
=>0x0c087fff9130: fa fa[fd]fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff9140: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff9150: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 04 fa
  0x0c087fff9160: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 00 fa
  0x0c087fff9170: fa fa 00 00 00 00 00 02 fa fa 00 00 00 00 00 00
  0x0c087fff9180: fa fa 00 00 00 00 00 03 fa fa 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
==9086==ABORTING

Comment 1

[Fuzzing Team]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Bug 1511412 - Fix an issue with incremental sweeping and ICScript. r?tcampbell

Comment 4

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/mozilla-central/rev/847bc008e00b9348a07b87b4c8063782c1d7ab11

Comment 5

[Jon Coppeard (:jonco)]

>  if (zone->isGCSweeping() && IsAboutToBeFinalizedDuringSweep(*script)) {

BTW you can use IsAboutToBeFinalizedUnbarriered() here and you don't need the zone check.