Closed Bug 1851619 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ append<JSFunction *&>] with READ of size 8

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- verified

People

(Reporter: decoder, Assigned: sfink)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])

Attachments

(4 files)

Detailed Crash Information
5.37 KB, text/plain
Details
Testcase
330 bytes, text/plain
Details
Bug 1851619 - Do not call ShellCleanupFinalizationRegistryCallback after ShellContext is dead
48 bytes, text/x-phabricator-request
Details | Review
Bug 1851619 - Common up some initialization and teardown code
48 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20230903-39747a728e31 (asan-opt build, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

Object.defineProperty(this, "x", {
  value:{
    Object: Object,
  }
});
enableShellAllocationMetadataBuilder();
var registry = new FinalizationRegistry(()=>{
});
registry.register({}, 1, {});
var target = {};
Object.preventExtensions = function(obj) {
  return x.Object.preventExtensions(obj);
}
Object.preventExtensions(target);

Backtrace:

==15409==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000000eb0 at pc 0x557ed7ec7383 bp 0x7ffefe7bde40 sp 0x7ffefe7bde38
READ of size 8 at 0x616000000eb0 thread T0
    #0 0x557ed7ec7382 in append<JSFunction *&> dist/include/mozilla/Vector.h:1473:7
    #1 0x557ed7ec7382 in append<JSFunction *&> dist/include/js/GCVector.h:91:19
    #2 0x557ed7ec7382 in append<JSFunction *&> dist/include/js/GCVector.h:272:18
    #3 0x557ed7ec7382 in ShellCleanupFinalizationRegistryCallback(JSFunction*, JSObject*, void*) /js/src/shell/js.cpp:1256:49
    #4 0x557ed917efd1 in callHostCleanupFinalizationRegistryCallback /js/src/gc/GC.cpp:1475:5
    #5 0x557ed917efd1 in js::gc::GCRuntime::queueFinalizationRegistryForCleanup(js::FinalizationQueueObject*) /js/src/gc/FinalizationObservers.cpp:309:3
    #6 0x557ed917e5a1 in js::gc::FinalizationObservers::traceWeakFinalizationRegistryEdges(JSTracer*) /js/src/gc/FinalizationObservers.cpp:248:13
    #7 0x557ed925d0bd in js::gc::GCRuntime::sweepFinalizationObserversOnMainThread() /js/src/gc/Sweeping.cpp:1303:5
    #8 0x557ed925ec9e in js::gc::GCRuntime::beginSweepingSweepGroup(JS::GCContext*, js::SliceBudget&) /js/src/gc/Sweeping.cpp:1562:3
    #9 0x557ed928d4ef in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) /js/src/gc/Sweeping.cpp:2160:23
    #10 0x557ed92852f8 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) /js/src/gc/Sweeping.cpp:2195:19
    #11 0x557ed9268772 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /js/src/gc/Sweeping.cpp:2337:53
    #12 0x557ed91a11b5 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) /js/src/gc/GC.cpp:3679:11
    #13 0x557ed91a57ee in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4190:3
    #14 0x557ed91a7740 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /js/src/gc/GC.cpp:4381:9
    #15 0x557ed91a8bad in js::gc::GCRuntime::finishGC(JS::GCReason) /js/src/gc/GC.cpp:4499:3
    #16 0x557ed878e1b8 in JSRuntime::destroyRuntime() /js/src/vm/Runtime.cpp:236:7
    #17 0x557ed8557417 in js::DestroyContext(JSContext*) /js/src/vm/JSContext.cpp:221:7
    #18 0x557ed7ebdb4a in main /js/src/shell/js.cpp:11513:1

0x616000000eb0 is located 560 bytes inside of 576-byte region [0x616000000c80,0x616000000ec0)
freed by thread T0 here:
    #0 0x557ed7e6a566 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x557ed7ebdb17 in main /js/src/shell/js.cpp:11513:1

previously allocated by thread T0 here:
    #0 0x557ed7e6a80e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x557ed7ec372c in js_arena_malloc dist/include/js/Utility.h:370:10
    #2 0x557ed7ec372c in js_malloc dist/include/js/Utility.h:374:10
    #3 0x557ed7ec372c in js_new<js::shell::ShellContext, JSContext *const &> dist/include/js/Utility.h:530:1
    #4 0x557ed7ec372c in js::detail::UniqueSelector<js::shell::ShellContext>::SingleObject js::MakeUnique<js::shell::ShellContext, JSContext* const&>(JSContext* const&) dist/include/js/UniquePtr.h:43:23
    #5 0x557ed7ebd312 in main /js/src/shell/js.cpp:11394:32

SUMMARY: AddressSanitizer: heap-use-after-free dist/include/mozilla/Vector.h:1473:7 in append<JSFunction *&>
Shadow bytes around the buggy address:
  0x616000000e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x616000000e80: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
  0x616000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Heap left redzone:       fa
  Freed heap region:       fd
==15409==ABORTING

Not sure if this is shell-only or not, so marking s-s based on use-after-free.

Attached file Testcase

Jon, I am not sure if this is a JS shell only issue or not, in the mean time I set the priority as P3/S4.
Feel free to bump it to a higher severity if this is more than a shell-only issue.

Blocks: GC.stability
Severity: -- → S4
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
Priority: -- → P3

Verified bug as reproducible on mozilla-central 20230905042640-530fe27f752d.
Unable to bisect testcase (Unable to launch the start build!):

Start: f8e8c96064386b2f3405adefc512f7fbc2808ff8 (20220906092849)
End: 39747a728e31525f254d25d9fa323a491dda5b09 (20230903210251)
BuildFlags: BuildFlags(asan=None, tsan=None, debug=True, fuzzing=None, coverage=None, valgrind=None, no_opt=None, fuzzilli=None, nyx=None)

Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisected,confirmed]

(In reply to Nicolas B. Pierron [:nbp] from comment #3)

Jon, I am not sure if this is a JS shell only issue or not, in the mean time I set the priority as P3/S4.
Feel free to bump it to a higher severity if this is more than a shell-only issue.

Forwarding the need-info to Steve, given that Jon is not available this week.

Flags: needinfo?(jcoppeard) → needinfo?(sphink)
Assignee: nobody → sphink
Status: NEW → ASSIGNED

Shell-only shutdown ordering problem.

Group: javascript-core-security
Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e93d9434d00 Do not call ShellCleanupFinalizationRegistryCallback after ShellContext is dead r=jandem https://hg.mozilla.org/integration/autoland/rev/065892758133 Common up some initialization and teardown code r=jandem

https://hg.mozilla.org/mozilla-central/rev/6e93d9434d00
https://hg.mozilla.org/mozilla-central/rev/065892758133

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox119: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch

Verified bug as fixed on rev mozilla-central 20230913092556-daceab96e958.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox119: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: