Closed Bug 732791 Opened 13 years ago Closed 13 years ago

Use-after-free [@ js::mjit::Compiler::bytecodeInChunk] or Crash [@ js::GetBytecodeLength]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 730806

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: testcase, valgrind, Whiteboard: [asan])

Crash Data

The following test shows a use-after-free in Valgrind and ASan on mozilla-central revision 343ec916dfd5 (options -m -n -a): function jsTestDriverEnd() { for (var i = 0; i < gTestcases.length; i++) {} } function newFunc(x) { new Function(x)(); }; newFunc("gczeal(2,1); jsTestDriverEnd();"); Here's a Valgrind trace: ==36213== Invalid read of size 4 ==36213== at 0x6C9ED0: js::mjit::Compiler::bytecodeInChunk(unsigned char*) (Compiler.h:530) ==36213== by 0x6B92E4: js::mjit::Compiler::finishLoop(unsigned char*) (Compiler.cpp:6981) ==36213== by 0x6B9F46: js::mjit::Compiler::jumpAndRun(JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump, unsigned char*, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump*, bool*, bool) (Compiler.cpp:7194) ==36213== by 0x6FBD82: js::mjit::Compiler::jsop_relational_full(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) (FastArithmetic.cpp:1702) ==36213== by 0x70B0FA: js::mjit::Compiler::jsop_relational(JSOp, int (*)(js::VMFrame&), unsigned char*, JSOp) (FastOps.cpp:586) ==36213== by 0x6A3B2C: js::mjit::Compiler::generateMethod() (Compiler.cpp:2397) ==36213== by 0x69A425: js::mjit::Compiler::performCompilation() (Compiler.cpp:548) ==36213== by 0x699064: js::mjit::Compiler::compile() (Compiler.cpp:150) ==36213== by 0x69C3CB: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:993) ==36213== by 0x506E05: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2739) ==36213== by 0x693AB8: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (MethodJIT.cpp:1079) ==36213== by 0x693C71: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (MethodJIT.cpp:1111) ==36213== Address 0x5e7baac is 108 bytes inside a block of size 128 free'd ==36213== at 0x4C282ED: free (vg_replace_malloc.c:366) ==36213== by 0x40393C: js_free (Utility.h:152) ==36213== by 0x41194E: js::Foreground::free_(void*) (Utility.h:566) ==36213== by 0x41B991: JSRuntime::free_(void*) (jscntxt.h:644) ==36213== by 0x41B9E5: JSContext::free_(void*) (jscntxt.h:1120) ==36213== by 0x694BD7: js::mjit::ReleaseScriptCode(JSContext*, JSScript*, bool) (MethodJIT.cpp:1452) ==36213== by 0x47EC04: js::mjit::ReleaseScriptCode(JSContext*, JSScript*) (MethodJIT.h:904) ==36213== by 0x47C50A: JSCompartment::discardJitCode(JSContext*) (jscompartment.cpp:472) ==36213== by 0x47C7EB: JSCompartment::sweep(JSContext*, bool) (jscompartment.cpp:516) ==36213== by 0x4B3F5B: SweepPhase(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:3204) ==36213== by 0x4B4685: MarkAndSweep(JSContext*, js::JSGCInvocationKind) (jsgc.cpp:3296) ==36213== by 0x4B53A0: GCCycle(JSContext*, JSCompartment*, long, js::JSGCInvocationKind) (jsgc.cpp:3644) This error leads to sporadic, non-deterministic crashes in the fuzzer that are very hard to reproduce. I used ASan to minimize this one down to a sane size for debugging. The bug looks somewhat similar to the one in 728674.
Should be fixed by the patch in bug 730806.
Depends on: 730806
Christian, it looks like this is supposed to be a dup of bug 730806. Could you check on that?
Confirmed to be a duplicate of bug 730806.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Whiteboard: js-triage-needed, [asan] → [asan]
No longer blocks: 732016
Group: core-security
You need to log in before you can comment on or make changes to this bug.