Closed
Bug 692065
Opened 13 years ago
Closed 13 years ago
Use after free in JS methodjit IC structure with possible crash [@ js::mjit::ic::BaseIC::disable]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 686107
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, testcase, valgrind, Whiteboard: [sg:dupe 686107] js-triage-needed)
Crash Data
The following test shows valgrind errors on mozilla-central revision a896a9e237a0 (options -m -n -a): test(); function test() { function f(N) { for (var i = 0; i != N; ++i) { for (var repeat = 0;repeat != 2; - repeat) { for (var j in obj1) { for (var k in obj2) { } } } } } var array = [function() { f(10); } ]; for (var i = 0; i != array.length; ++i) array[f](); } Brian already mentioned that this could be another variation of bug 686107 (even though the crashes/errors look different). Note that this test does not crash but the original (unminimized) testcase did. This one only shows the valgrind errors but I guess those are the more important symptoms to diagnose. S-s because this might be a use after free which could be exploitable. Valgrind Log: ==31843== Invalid read of size 1 ==31843== at 0x77E52E: js::mjit::ic::GetElementIC::shouldUpdate(JSContext*) (PolyIC.cpp:2379) ==31843== by 0x781448: js::mjit::ic::CallElement(js::VMFrame&, js::mjit::ic::GetElementIC*) (PolyIC.cpp:2894) ==31843== by 0x6E2763: ??? (MethodJIT.cpp:153) ==31843== by 0x6E29FD: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884) ==31843== Address 0x5e3b5dc is 828 bytes inside a block of size 880 free'd ==31843== at 0x4C282ED: free (vg_replace_malloc.c:366) ==31843== by 0x4038FB: js_free (jsutil.h:287) ==31843== by 0x41113F: js::Foreground::free_(void*) (jsutil.h:534) ==31843== by 0x419A9D: JSRuntime::free_(void*) (jscntxt.h:774) ==31843== [*** Last error repeated twice ***] ==31843== ==31843== Invalid read of size 4 ==31843== at 0x77E255: js::mjit::ic::BaseIC::spew(JSContext*, char const*, char const*) (PolyIC.cpp:2303) ==31843== by 0x77E555: js::mjit::ic::GetElementIC::shouldUpdate(JSContext*) (PolyIC.cpp:2380) ==31843== by 0x781448: js::mjit::ic::CallElement(js::VMFrame&, js::mjit::ic::GetElementIC*) (PolyIC.cpp:2894) ==31843== by 0x6E2763: ??? (MethodJIT.cpp:153) ==31843== Address 0x5e3b5dc is 828 bytes inside a block of size 880 free'd ==31843== at 0x4C282ED: free (vg_replace_malloc.c:366) ==31843== by 0x4038FB: js_free (jsutil.h:287) ==31843== by 0x41113F: js::Foreground::free_(void*) (jsutil.h:534) ==31843== by 0x419A9D: JSRuntime::free_(void*) (jscntxt.h:774) Backtrace of original test crashing: Program terminated with signal 11, Segmentation fault. #0 0x000000000077e2e1 in js::mjit::ic::BaseIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type", stub=0x77e4e9) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2330 2330 if (jit->pcLengths) { #0 0x000000000077e2e1 in js::mjit::ic::BaseIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type", stub=0x77e4e9) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2330 #1 0x000000000077e5f1 in js::mjit::ic::GetElementIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type") at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2394 #2 0x00000000007812f7 in js::mjit::ic::GetElementIC::update (this=0x186a648, f=..., cx=0x16fa8b0, obj=0x7f886ef46bf0, v=..., id=..., vp=0x7f886f279248) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2867 #3 0x00000000007814a0 in js::mjit::ic::CallElement (f=..., ic=0x186a648) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2898 #4 0x00000000006e2764 in throwpoline_exit () at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:153
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Whiteboard: js-triage-needed → [sg:dupe 686107] js-triage-needed
Updated•12 years ago
|
Group: core-security
Reporter | ||
Comment 2•11 years ago
|
||
A testcase for this bug was already added in the original bug (bug 686107).
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•