Closed
Bug 1873328
Opened 1 year ago
Closed 1 year ago
AddressSanitizer: stack-overflow on address 0x7ffe5ed61d08 with ubi node takeCensus
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
125 Branch
People
(Reporter: gkw, Assigned: sfink)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
let x = {
by: "filename",
};
x["noFilename"] = x;
Debugger().memory.takeCensus({
breakdown: {
by: "coarseType",
scripts: x,
},
});
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27325==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcd38e19e8 (pc 0x55cfe4185d5b bp 0x7ffcd38e2210 sp 0x7ffcd38e19e0 T0)
#0 0x55cfe4185d5b in StackTrace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h:53:45
#1 0x55cfe4185d5b in BufferedStackTrace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h:113:26
#2 0x55cfe4185d5b in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#3 0x55cfe4c80f31 in js_arena_malloc(unsigned long, unsigned long) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-d2e417f0f208/objdir-js/dist/include/js/Utility.h:370:10
#4 0x55cfe4c80f31 in unsigned char* js_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/shell-cache/js-64-asan-linux-x86_64-d2e417f0f208/objdir-js/dist/include/js/Utility.h:586:26
#5 0x55cfe4c80f31 in unsigned char* js::MallocProvider<JSContext>::maybe_pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:57:12
#6 0x55cfe4c80f31 in unsigned char* js::MallocProvider<JSContext>::pod_arena_malloc<unsigned char>(unsigned long, unsigned long) /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:109:12
#7 0x55cfe4c80f31 in unsigned char* js::MallocProvider<JSContext>::pod_malloc<unsigned char>(unsigned long) /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:127:12
#8 0x55cfe4c80f31 in JS::ubi::SimpleCount* js::MallocProvider<JSContext>::new_<JS::ubi::SimpleCount>() /home/skygentoo/trees/mozilla-central/js/src/vm/MallocProvider.h:234:3
#9 0x55cfe4c80f31 in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1078:29
#10 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
#11 0x55cfe4c83276 in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1220:27
#12 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
#13 0x55cfe4c8330d in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1226:9
#14 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
#15 0x55cfe4c8330d in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1226:9
#16 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
#17 0x55cfe4c8330d in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1226:9
#18 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
#19 0x55cfe4c8330d in JS::ubi::ParseBreakdown(JSContext*, JS::Handle<JS::Value>) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1226:9
#20 0x55cfe4c85767 in JS::ubi::ParseChildBreakdown(JSContext*, JS::Handle<JSObject*>, js::PropertyName*) /home/skygentoo/trees/mozilla-central/js/src/vm/UbiNodeCensus.cpp:1071:10
/snip
Likely regression range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6077f51254c69a1e14e1b61acba4af451bf1783e&tochange=59c648a3f95524cb1ee42f2306c1db2698d35258
I'm guessing this is related to bug 1221177 from Nov 2015, or: https://hg.mozilla.org/mozilla-central/rev/b55c75fb0c20
Run with --fuzzing-safe --no-threads --no-baseline --no-ion, compile with AR=ar sh ../configure --enable-address-sanitizer --enable-fuzzing --disable-jemalloc --disable-stdcxx-compat --without-sysroot --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on m-c rev d2e417f0f208.
Steve, since :fitzgen no longer seems to be around, is bug 1221177 a likely regressor? Setting s-s just in case.
Flags: sec-bounty?
Flags: needinfo?(sphink)
|
||
Comment 1•1 year ago
|
||
Set release status flags based on info from the regressing bug 1221177
status-firefox121:
--- → affected
status-firefox122:
--- → affected
status-firefox-esr115:
--- → affected
|
||
Updated•1 year ago
|
Group: core-security → javascript-core-security
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
Based on the test case and the stack, I'm guessing this is an infinite loop in this ubi node takeCensus function with a data structure that refers to itself.
Group: javascript-core-security
Summary: ERROR: AddressSanitizer: stack-overflow on address 0x7ffe5ed61d08 → ERROR: AddressSanitizer: stack-overflow on address 0x7ffe5ed61d08 with ubi node takeCensus
|
||
Updated•1 year ago
|
|
Reporter | |
Updated•1 year ago
|
Summary: ERROR: AddressSanitizer: stack-overflow on address 0x7ffe5ed61d08 with ubi node takeCensus → AddressSanitizer: stack-overflow on address 0x7ffe5ed61d08 with ubi node takeCensus
|
Assignee | |
Comment 3•1 year ago
|
||
Assignee: nobody → sphink
Status: NEW → ASSIGNED
|
||
Updated•1 year ago
|
Assignee: nobody → sphink
Status: NEW → ASSIGNED
|
|
||
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1221177
status-firefox124:
--- → affected
|
||
Updated•1 year ago
|
Severity: -- → S3
Priority: -- → P1
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(sphink)
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 5•1 year ago
|
||
Hi Jim! Just wondering if you'll be able to get to review Steve's patch anytime soon.
Flags: needinfo?(jimb)
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/abcef67f1aa3
disallow nested groupings of the same type, to prevent infinite recursion r=jimb
|
||
Comment 8•1 year ago
|
||
Backed out for causing build bustages on HeapSnapshot.cpp.
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - gmake[4]: Entering directory '/builds/worker/workspace/obj-build/devtools/shared/heapsnapshot'
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ --sysroot /builds/worker/fetches/sysroot-x86_64-linux-gnu -o HeapSnapshot.o -c -I/builds/worker/workspace/obj-build/dist/stl_wrappers -I/builds/worker/workspace/obj-build/dist/system_wrappers -include /builds/worker/checkouts/gecko/config/gcc_hidden.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fstack-clash-protection -ftrivial-auto-var-init=pattern -DDEBUG=1 -DGOOGLE_PROTOBUF_NO_RTTI -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/devtools/shared/heapsnapshot -I/builds/worker/workspace/obj-build/devtools/shared/heapsnapshot -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fPIC -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -gdwarf-4 -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O2 -fno-omit-frame-pointer -funwind-tables -Werror -Wall -Wbitfield-enum-conversion -Wdeprecated-this-capture -Wempty-body -Wformat-type-confusion -Wignored-qualifiers -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtautological-constant-in-range-compare -Wtype-limits -Wno-error=tautological-type-limit-compare -Wunreachable-code -Wunreachable-code-return -Wunused-but-set-parameter -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wno-range-loop-analysis -Wc++2a-compat -Wenum-compare-conditional -Wenum-float-conversion -Wno-error=deprecated -Wno-error=deprecated-anon-enum-enum-conversion -Wno-error=deprecated-enum-enum-conversion -Wno-error=deprecated-pragma -Wno-error=deprecated-this-capture -Wcomma -Wimplicit-fallthrough -Wstring-conversion -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=free-nonheap-object -Wno-error=atomic-alignment -Wno-error=deprecated-builtins -Wformat -Wformat-security -Wno-psabi -Wthread-safety -Wno-error=builtin-macro-redefined -Wno-unknown-warning-option -fno-strict-aliasing -ffp-contract=off -MD -MP -MF .deps/HeapSnapshot.o.pp /builds/worker/checkouts/gecko/devtools/shared/heapsnapshot/HeapSnapshot.cpp
[task 2024-02-23T00:08:44.971Z] 00:08:44 ERROR - /builds/worker/checkouts/gecko/devtools/shared/heapsnapshot/HeapSnapshot.cpp:485:76: error: too few arguments to function call, expected 3, have 2
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - 485 | JS::ubi::CountTypePtr rootType = JS::ubi::ParseBreakdown(cx, breakdownVal);
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - | ~~~~~~~~~~~~~~~~~~~~~~~ ^
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - /builds/worker/workspace/obj-build/dist/include/js/UbiNodeCensus.h:227:1: note: 'ParseBreakdown' declared here
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - 227 | ParseBreakdown(JSContext* cx, HandleValue breakdownValue,
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - 228 | MutableHandle<JS::GCVector<JSLinearString*>> seen);
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - 1 error generated.
[task 2024-02-23T00:08:44.971Z] 00:08:44 ERROR - gmake[4]: *** [/builds/worker/checkouts/gecko/config/rules.mk:688: HeapSnapshot.o] Error 1
[task 2024-02-23T00:08:44.971Z] 00:08:44 INFO - gmake[4]: Leaving directory '/builds/worker/workspace/obj-build/devtools/shared/heapsnapshot'
Flags: needinfo?(sphink)
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6878a375f54
disallow nested groupings of the same type, to prevent infinite recursion r=jimb
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(sphink)
|
||
Comment 10•1 year ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox125:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
|
|
||
Comment 11•1 year ago
|
||
The patch landed in nightly and beta is affected.
:sfink, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox124towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(sphink)
|
|
Assignee | |
Comment 12•1 year ago
|
||
wontfixed, because although this could produce a DOS, it requires access to Debugger, which is not exposed to content.
Flags: needinfo?(sphink)
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
|
Reporter | |
Updated•11 months ago
|
Blocks: gkw-js-fuzzing
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•