1672732 - AddressSanitizer: heap-use-after-free [@ std::__atomic_base<unsigned int>::store] through [@ js::jit::SimulatorProcess::membarrier] with WRITE of size 4 with ARM64 simulator

Status: NEW

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Christian Holler (:decoder)]

The following crash was found on mozilla-central revision d8861d51b01e (arm64 simulator build, run with --fuzzing-safe --no-asmjs --enable-avx --no-sse3 --ion-pgo=off --ion-warmup-threshold=0 --ion-range-analysis=off --ion-eager --warp --fast-warmup --no-blinterp --more-compartments --ion-offthread-compile=off --gc-zeal=20,477 --no-incremental-gc --baseline-warmup-threshold=100 --no-native-regexp).

Backtrace:

=================================================================
==11603==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900000148c at pc 0x55d063979e62 bp 0x7f908fa3c880 sp 0x7f908fa3c878
WRITE of size 4 at 0x61900000148c thread T5 (JS Helper)
    #0 0x55d063979e61 in std::__atomic_base<unsigned int>::store(unsigned int, std::memory_order) include/c++/7.4.0/bits/atomic_base.h:374:2
    #1 0x55d063979e61 in mozilla::detail::IntrinsicMemoryOps<unsigned int, (mozilla::MemoryOrdering)2>::store(std::atomic<unsigned int>&, unsigned int) objdir-js/dist/include/mozilla/Atomics.h:195
    #2 0x55d063979e61 in mozilla::detail::AtomicBase<unsigned int, (mozilla::MemoryOrdering)2>::operator=(unsigned int) objdir-js/dist/include/mozilla/Atomics.h:297
    #3 0x55d063979e61 in mozilla::Atomic<bool, (mozilla::MemoryOrdering)2, void>::operator=(bool) objdir-js/dist/include/mozilla/Atomics.h:495
    #4 0x55d063979e61 in js::jit::SimulatorProcess::membarrier() js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:988
    #5 0x55d06397935a in vixl::CPU::EnsureIAndDCacheCoherency(void*, unsigned long, bool) js/src/jit/arm64/vixl/MozCpu-vixl.cpp:182:5
    #6 0x55d0645c9d3b in js::jit::ReprotectRegion(void*, unsigned long, js::jit::ProtectionSetting, js::jit::MustFlushICache) js/src/jit/ProcessExecutableMemory.cpp:745:5
    #7 0x55d064776206 in js::jit::ExecutableAllocator::makeExecutableAndFlushICache(js::jit::FlushICacheSpec, void*, unsigned long) js/src/jit/ExecutableAllocator.h:191:12
    #8 0x55d064776206 in js::wasm::ModuleSegment::initialize(js::wasm::IsTier2, js::wasm::CodeTier const&, js::wasm::LinkData const&, js::wasm::Metadata const&, js::wasm::MetadataTier const&) js/src/wasm/WasmCode.cpp:394
    #9 0x55d0647849f2 in js::wasm::CodeTier::initialize(js::wasm::IsTier2, js::wasm::Code const&, js::wasm::LinkData const&, js::wasm::Metadata const&) js/src/wasm/WasmCode.cpp:1065:18
    #10 0x55d0647877d6 in js::wasm::Code::setTier2(mozilla::UniquePtr<js::wasm::CodeTier, JS::DeletePolicy<js::wasm::CodeTier> >, js::wasm::LinkData const&) const js/src/wasm/WasmCode.cpp:1189:15
    #11 0x55d064a786df in js::wasm::Module::finishTier2(js::wasm::LinkData const&, mozilla::UniquePtr<js::wasm::CodeTier, JS::DeletePolicy<js::wasm::CodeTier> >) const js/src/wasm/WasmModule.cpp:125:15
    #12 0x55d06496237c in js::wasm::ModuleGenerator::finishTier2(js::wasm::Module const&) js/src/wasm/WasmGenerator.cpp:1321:17
    #13 0x55d0647920a0 in js::wasm::CompileTier2(js::wasm::CompileArgs const&, mozilla::Vector<unsigned char, 0ul, js::SystemAllocPolicy> const&, js::wasm::Module const&, mozilla::Atomic<bool, (mozilla::MemoryOrdering)2, void>*, JSTelemetrySender) js/src/wasm/WasmCompile.cpp:634:11
    #14 0x55d064b34aec in js::wasm::Module::Tier2GeneratorTaskImpl::runHelperThreadTask(js::AutoLockHelperThreadState&) js/src/wasm/WasmModule.cpp:74:7
    #15 0x55d061bf9660 in js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:2660:9
    #16 0x55d061bf50e7 in js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:2632:25
    #17 0x55d061bf4b75 in js::HelperThread::ThreadMain(void*) js/src/vm/HelperThreads.cpp:2350:11
    #18 0x55d061cb1eb7 in void js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) js/src/threading/Thread.h:217:5
    #19 0x55d061cb1eb7 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:206
    #20 0x7f9094d6b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #21 0x7f9093b2c88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61900000148c is located 12 bytes inside of 1104-byte region [0x619000001480,0x6190000018d0)
freed by thread T0 here:
    #0 0x55d0610e5672 in __interceptor_free (js-dbg-64-profDisabled-dm-asan-armsim64-linux-x86_64-d8861d51b01e+0x30aa672)
    #1 0x55d061cd21cf in JSContext::~JSContext() js/src/vm/JSContext.cpp:976:3
    #2 0x55d061cc4130 in void js_delete_poison<JSContext>(JSContext const*) objdir-js/dist/include/js/Utility.h:580:9
    #3 0x55d061cc4130 in js::DestroyContext(JSContext*) js/src/vm/JSContext.cpp:213
    #4 0x55d061137b4d in main::$_1::operator()() const js/src/shell/js.cpp:11642:41
    #5 0x55d061137b4d in mozilla::ScopeExit<main::$_1>::~ScopeExit() objdir-js/dist/include/mozilla/ScopeExit.h:106
    #6 0x55d061137b4d in main js/src/shell/js.cpp:11768
    #7 0x7f9093a2cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x55d0610e59f3 in __interceptor_malloc (js-dbg-64-profDisabled-dm-asan-armsim64-linux-x86_64-d8861d51b01e+0x30aa9f3)
    #1 0x55d06397d954 in js_arena_malloc(unsigned long, unsigned long) objdir-js/dist/include/js/Utility.h:385:10
    #2 0x55d06397d954 in js_malloc(unsigned long) objdir-js/dist/include/js/Utility.h:389
    #3 0x55d06397d954 in vixl::Simulator* js_new<vixl::Simulator, vixl::CachingDecoder*&, _IO_FILE*&>(vixl::CachingDecoder*&, _IO_FILE*&) objdir-js/dist/include/js/Utility.h:538
    #4 0x55d06397d954 in vixl::Simulator::Create() js/src/jit/arm64/vixl/MozSimulator-vixl.cpp:183
    #5 0x55d061cc3021 in JSContext::init(js::ContextKind) js/src/vm/JSContext.cpp:129:18
    #6 0x55d061cc3a69 in js::NewContext(unsigned int, JSRuntime*) js/src/vm/JSContext.cpp:175:12
    #7 0x55d06113549e in main js/src/shell/js.cpp:11634:25
    #8 0x7f9093a2cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Thread T5 (JS Helper) created by T0 here:
    #0 0x55d0610cdfcd in __interceptor_pthread_create (js-dbg-64-profDisabled-dm-asan-armsim64-linux-x86_64-d8861d51b01e+0x3092fcd)
    #1 0x55d0618196e0 in js::Thread::create(void* (*)(void*), void*) js/src/threading/posix/PosixThread.cpp:52:7
    #2 0x55d061c6da8e in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) js/src/threading/Thread.h:90:12
    #3 0x55d061be5089 in js::HelperThread::init() js/src/vm/HelperThreads.cpp:2304:17
    #4 0x55d061be5089 in js::GlobalHelperThreadState::ensureThreadCount(unsigned long) js/src/vm/HelperThreads.cpp:1283
    #5 0x55d061f8e71d in JSRuntime::init(JSContext*, unsigned int) js/src/vm/Runtime.cpp:199:32
    #6 0x55d061cc3a7b in js::NewContext(unsigned int, JSRuntime*) js/src/vm/JSContext.cpp:181:17
    #7 0x55d06113549e in main js/src/shell/js.cpp:11634:25
    #8 0x7f9093a2cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free include/c++/7.4.0/bits/atomic_base.h:374:2 in std::__atomic_base<unsigned int>::store(unsigned int, std::memory_order)
Shadow bytes around the buggy address:
  0x0c327fff8240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c327fff8290: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff82a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff82b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff82c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff82d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff82e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11603==ABORTING

This is very likely a simulator/shell problem. I don't have a test for this yet, but I'm hoping the backtrace is enough here.

Comment 1

[Christian Holler (:decoder)]

Attachment: Testcase

Comment 2

[Lars T Hansen [:lth]]

(Simulators are "Jit". This could be related to some problems we had recently -- properly simulating icache behavior on a multi-threaded simulator is just hard.)

Comment 3

[Lars T Hansen [:lth]]

The backtrace doesn't make much sense by itself. It says that there's a Simulator object allocated inside (as a sub-object of) a JSContext object so that after the JSContext is freed, an access to the simulator is invalid. It would be, but the Simulator is always a stand-alone heap object, never allocated inside something.

So if anything, the Simulator* picked up in membarrier() is garbage, and/or it was deleted but never taken off the list. I do note that unregisterSimulator is never called (textually) but Simulator::Destroy is called from ~JSContext. So there's that - probably something worth looking into.

Comment 4

[Lars T Hansen [:lth]]

(Unable to repro locally with given test case and arguments.)

Comment 5

[Nicolas B. Pierron [:nbp]]

This bug is about instruction cache emulation in the JS shell. Thus this has no impact to our users. (S4 because there is no lower one for defect)