1851520 - AddressSanitizer: global-buffer-overflow on address

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

evaluate('loadRelativeToScript("");', { fileName: null });

==89819==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010567ae48 at pc 0x0001012b807c bp 0x00016f01fd10 sp 0x00016f01fd08
READ of size 4 at 0x00010567ae48 thread T0
    #0 0x1012b8078 in js::ErrorObject::create(JSContext*, JSExnType, JS::Handle<JSObject*>, JS::Handle<JSString*>, unsigned int, unsigned int, JS::ColumnNumberOneOrigin, mozilla::UniquePtr<JSErrorReport, JS::DeletePolicy<JSErrorReport>>, JS::Handle<JSString*>, JS::Handle<mozilla::Maybe<JS::Value>>, JS::Handle<JSObject*>)+0x5ec (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1004e0078) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #1 0x1018a494c in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*)+0x5d0 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100acc94c) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #2 0x1012bf704 in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, char*)+0x350 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1004e7704) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #3 0x10187067c in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...)+0xf4 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100a9867c) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #4 0x101254e30 in JS::EncodeUtf8ToNarrow(JSContext*, char const*)+0x1c8 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10047ce30) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #5 0x100de4d50 in js::shell::ResolvePath(JSContext*, JS::Handle<JSString*>, js::shell::PathResolutionMode)+0x328 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10000cd50) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #6 0x100e5f538 in LoadScript(JSContext*, unsigned int, JS::Value*, bool)+0x220 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100087538) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #7 0x10104f1dc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x898 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1002771dc) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #8 0x101068aa8 in js::Interpret(JSContext*, js::RunState&)+0x10db4 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100290aa8) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #9 0x10104e060 in js::RunScript(JSContext*, js::RunState&)+0x494 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100276060) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #10 0x10105396c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+0x40c (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10027b96c) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #11 0x10126abd4 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)+0x220 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100492bd4) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #12 0x10126a870 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)+0x178 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100492870) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #13 0x100e346e8 in Evaluate(JSContext*, unsigned int, JS::Value*)+0x1f80 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10005c6e8) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #14 0x10104f1dc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)+0x898 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1002771dc) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #15 0x101068aa8 in js::Interpret(JSContext*, js::RunState&)+0x10db4 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100290aa8) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #16 0x10104e060 in js::RunScript(JSContext*, js::RunState&)+0x494 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100276060) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #17 0x10105396c in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>)+0x40c (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10027b96c) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #18 0x10126abd4 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)+0x220 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100492bd4) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #19 0x10126a870 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>)+0x178 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100492870) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #20 0x100e82dc0 in Process(JSContext*, char const*, bool, FileKind)+0xfc8 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1000aadc0) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #21 0x100df928c in Shell(JSContext*, js::cli::OptionParser*)+0x2488 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x10002128c) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #22 0x100ded480 in main+0xf68 (js-64-asan-darwin-arm64-99eed791079c:arm64+0x100015480) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00)
    #23 0x19d07bf24  (<unknown module>)
    #24 0x9979fffffffffffc  (<unknown module>)

0x00010567ae48 is located 56 bytes after global variable 'js::ErrorObject::classes' defined in 'Unified_cpp_js_src13.cpp' (0x10567aba0) of size 624
SUMMARY: AddressSanitizer: global-buffer-overflow (js-64-asan-darwin-arm64-99eed791079c:arm64+0x1004e0078) (BuildId: 4c4c44fa55553144a11604c237037d4c32000000200000000100000000000b00) in js::ErrorObject::create(JSContext*, JSExnType, JS::Handle<JSObject*>, JS::Handle<JSString*>, unsigned int, unsigned int, JS::ColumnNumberOneOrigin, mozilla::UniquePtr<JSErrorReport, JS::DeletePolicy<JSErrorReport>>, JS::Handle<JSString*>, JS::Handle<mozilla::Maybe<JS::Value>>, JS::Handle<JSObject*>)+0x5ec
Shadow bytes around the buggy address:
  0x00010567ab80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567ac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567ad00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00010567ae00: 00 00 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9
  0x00010567ae80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x00010567af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00010567b000: 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9
  0x00010567b080: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==89819==ABORTING

It seems to go as far back as m-c rev e963fffcb3a0 and possibly further back.

Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-debug-symbols --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev 738c0a460acb.

Unsure who to set needinfo? from, so setting :jandem for now. Please forward it on to the right person, thanks!

Also, I'm guessing this is unlikely to be s-s, but feel free to verify.

Comment 1

[Jan de Mooij [:jandem]]

I'm unable to reproduce this with an ASan build. I tried both a local build and this ASan shell build from CI.

Can you reproduce this with the CI build? How are you running the script exactly?

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

I can reproduce this with a freshly compiled local build on m-c rev 738c0a460acb. I am on macOS Ventura 13.5.1, Mac Mini M2 Pro 16GB - it's an ARM64 Mac Mini.

The linked CI build is for x86-64 minis and apparently cannot be run on this machine as it shows: zsh: exec format error: ./js

Comment 3

[Jan de Mooij [:jandem]]

Ah sorry, I missed that this is a macOS bug report. I tested this on Linux64 and the build I linked to is also for Linux.

Let me try this on Mac...

Comment 4

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Also reproduces reliably on latest m-c rev 5c56b92baa65.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Jan de Mooij [:jandem] from comment #3)

Let me try this on Mac...

Are you able to reproduce this?

Comment 6

[Jan de Mooij [:jandem]]

(In reply to Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) from comment #5)

(In reply to Jan de Mooij [:jandem] from comment #3)

Let me try this on Mac...

Are you able to reproduce this?

Yes I'm able to reproduce this on Mac. Thanks!

Comment 7

[Daniel Veditz [:dveditz]]

This looks like it might be specific to the shell function and not a bug in Firefox?

Comment 8

[Jan de Mooij [:jandem]]

There are multiple issues here:

1. We incorrectly use JSEXN_NOTE for the errors here. In debug builds this can trigger Assertion failure: exnType < JSEXN_ERROR_LIMIT, at jsexn.cpp:311 and also causes the out-of-bounds array access in ErrorObject::classForType that ASan opt builds are complaining about.

2. This doesn't reproduce on Linux because we have a different code path for Linux in JS::EncodeUtf8ToWide. I think the non-Linux code path needs to null-terminate the array it returns here. Failure to do that ends up triggering (1) above.

André, do you have time to look into this? You know this code better, but else I can write a patch for this.

Comment 9

[André Bargull [:anba]]

(In reply to Daniel Veditz [:dveditz] from comment #7)

This looks like it might be specific to the shell function and not a bug in Firefox?

Yes, this is only reproducible on the shell.

Comment 10

[André Bargull [:anba]]

Attachment: Bug 1851520: Add missing JSAPI tests for CharacterEncoding. r=jandem!

Overview:

• The error message kind was JSEXN_NOTE. Probably a copy-paste error, because
  the previous error entry has JSEXN_NOTE. Change this to JSEXN_ERR to use
  a correct error kind.
• Add missing null-termination in EncodeWideToUtf8 and EncodeUtf8ToWide.
• And finally add a JSAPI test to cover this code.

Adding "testCharacterEncoding.cpp" caused unified builds to change and
"testJitABIcalls.cpp" is now in a unified build bundle which doesn't include
declarations for JSContext and JS::Value, which in turn caused build errors
when including "jit/ABIFunctions.h". Add the missing forward definitions to
"jit/ABIFunctions.h" to fix these build errors.

Comment 11

[Jan de Mooij [:jandem]]

Opening up per comment 9.

Comment 12

[Pulsebot]

Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/2e1c2dd8ef65
Add missing JSAPI tests for CharacterEncoding. r=jandem

Comment 13

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/2e1c2dd8ef65