692065 - Use after free in JS methodjit IC structure with possible crash [@ js::mjit::ic::BaseIC::disable]

Status: RESOLVED DUPLICATE of bug 686107

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test shows valgrind errors on mozilla-central revision a896a9e237a0 (options -m -n -a):


test();
function test() {
  function f(N) {
    for (var i = 0; i != N; ++i) {
      for (var repeat = 0;repeat != 2; - repeat) {
        for (var j in obj1) {
          for (var k in obj2) {
          }
        }
      }
    }
  }
  var array = [function() { f(10); } ];
  for (var i = 0; i != array.length; ++i)
    array[f]();
}


Brian already mentioned that this could be another variation of bug 686107 (even though the crashes/errors look different).
Note that this test does not crash but the original (unminimized) testcase did. This one only shows the valgrind errors but I guess those are the more important symptoms to diagnose. S-s because this might be a use after free which could be exploitable.


Valgrind Log:

==31843== Invalid read of size 1
==31843==    at 0x77E52E: js::mjit::ic::GetElementIC::shouldUpdate(JSContext*) (PolyIC.cpp:2379)
==31843==    by 0x781448: js::mjit::ic::CallElement(js::VMFrame&, js::mjit::ic::GetElementIC*) (PolyIC.cpp:2894)
==31843==    by 0x6E2763: ??? (MethodJIT.cpp:153)
==31843==    by 0x6E29FD: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:884)
==31843==  Address 0x5e3b5dc is 828 bytes inside a block of size 880 free'd
==31843==    at 0x4C282ED: free (vg_replace_malloc.c:366)
==31843==    by 0x4038FB: js_free (jsutil.h:287)
==31843==    by 0x41113F: js::Foreground::free_(void*) (jsutil.h:534)
==31843==    by 0x419A9D: JSRuntime::free_(void*) (jscntxt.h:774)
==31843== 
[*** Last error repeated twice ***]
==31843== 
==31843== Invalid read of size 4
==31843==    at 0x77E255: js::mjit::ic::BaseIC::spew(JSContext*, char const*, char const*) (PolyIC.cpp:2303)
==31843==    by 0x77E555: js::mjit::ic::GetElementIC::shouldUpdate(JSContext*) (PolyIC.cpp:2380)
==31843==    by 0x781448: js::mjit::ic::CallElement(js::VMFrame&, js::mjit::ic::GetElementIC*) (PolyIC.cpp:2894)
==31843==    by 0x6E2763: ??? (MethodJIT.cpp:153)
==31843==  Address 0x5e3b5dc is 828 bytes inside a block of size 880 free'd
==31843==    at 0x4C282ED: free (vg_replace_malloc.c:366)
==31843==    by 0x4038FB: js_free (jsutil.h:287)
==31843==    by 0x41113F: js::Foreground::free_(void*) (jsutil.h:534)
==31843==    by 0x419A9D: JSRuntime::free_(void*) (jscntxt.h:774)


Backtrace of original test crashing:

Program terminated with signal 11, Segmentation fault.
#0  0x000000000077e2e1 in js::mjit::ic::BaseIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type", stub=0x77e4e9) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2330
2330            if (jit->pcLengths) {
#0  0x000000000077e2e1 in js::mjit::ic::BaseIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type", stub=0x77e4e9) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2330
#1  0x000000000077e5f1 in js::mjit::ic::GetElementIC::disable (this=0x186a648, cx=0x16fa8b0, reason=0x86ae4d "unhandled object and key type") at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2394
#2  0x00000000007812f7 in js::mjit::ic::GetElementIC::update (this=0x186a648, f=..., cx=0x16fa8b0, obj=0x7f886ef46bf0, v=..., id=..., vp=0x7f886f279248) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2867
#3  0x00000000007814a0 in js::mjit::ic::CallElement (f=..., ic=0x186a648) at /srv/repos/mozilla-central/js/src/methodjit/PolyIC.cpp:2898
#4  0x00000000006e2764 in throwpoline_exit () at /srv/repos/mozilla-central/js/src/methodjit/MethodJIT.cpp:153

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was already added in the original bug (bug 686107).