Last Comment Bug 759719 - Crash [@ malloc_consolidate] or Glibc abort with memory corruption, related to invalid access in JSScript::JITScriptHandle::setValid
: Crash [@ malloc_consolidate] or Glibc abort with memory corruption, related t...
Status: VERIFIED FIXED
js-triage-needed [advisory-tracking-]
: crash, csectype-uaf, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
: 761396 (view as bug list)
Depends on:
Blocks: langfuzz 758613
  Show dependency treegraph
 
Reported: 2012-05-30 05:13 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:13 PST (History)
7 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
unaffected
+
fixed
+
fixed
-
unaffected


Attachments
Test case for shell (run with -n -m) (2.50 KB, application/javascript)
2012-05-30 05:13 PDT, Christian Holler (:decoder)
no flags Details
patch (1.23 KB, patch)
2012-06-02 20:57 PDT, Brian Hackett (:bhackett)
dvander: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-05-30 05:13:54 PDT
Created attachment 628313 [details]
Test case for shell (run with -n -m)

The attached test crashes on mozilla-central revision e8a025a7101b (options -m -n).


Valgrind on debug shows:

==17477== Invalid write of size 8
==17477==    at 0x707920: JSScript::JITScriptHandle::setValid(js::mjit::JITScript*) (jsscript.h:376)
==17477==    by 0x71D614: js::mjit::CanMethodJIT(JSContext*, JSScript*, unsigned char*, bool, js::mjit::CompileRequest) (Compiler.cpp:948)
==17477==    by 0x50E14C: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1555)
==17477==    by 0x508E18: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:266)
==17477==    by 0x509A89: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:466)
==17477==    by 0x509D08: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:508)
==17477==    by 0x448CB9: JS_ExecuteScript (jsapi.cpp:5335)
==17477==    by 0x4084CB: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:445)
==17477==    by 0x41376E: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4754)
==17477==    by 0x4139D1: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4837)
==17477==    by 0x414112: main (js.cpp:5041)
==17477==  Address 0x5f0b7f0 is 0 bytes inside a block of size 32 free'd
==17477==    at 0x4C282ED: free (vg_replace_malloc.c:366)
==17477==    by 0x403BBE: js_free (Utility.h:169)
==17477==    by 0x403BF8: js::Foreground::free_(void*) (Utility.h:588)
==17477==    by 0x419945: JSRuntime::free_(void*) (jscntxt.h:834)
==17477==    by 0x426410: js::FreeOp::free_(void*) (jscntxt.h:1004)
==17477==    by 0x48DCDD: void js::FreeOp::delete_<JSScript::JITScriptSet>(JSScript::JITScriptSet*) (in /srv/repos/mozilla-central/js/src/debug64/shell/js)
==17477==    by 0x48A80E: JSScript::destroyJITInfo(js::FreeOp*) (jsscriptinlines.h:229)
==17477==    by 0x48A217: js::mjit::ReleaseScriptCode(js::FreeOp*, JSScript*) (MethodJIT.h:886)
==17477==    by 0x48C8BE: JSCompartment::discardJitCode(js::FreeOp*) (jscompartment.cpp:437)
==17477==    by 0x48CA60: JSCompartment::sweep(js::FreeOp*, bool) (jscompartment.cpp:470)
==17477==    by 0x4C5E19: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3260)
==17477==    by 0x4C75DE: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3706)

While GDB shows:

Program received signal SIGSEGV, Segmentation fault.
malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
5161    malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0  malloc_consolidate (av=0x7ffff72141c0) at malloc.c:5161
#1  0x00007ffff6efe472 in _int_malloc (av=0x7ffff72141c0, bytes=28784) at malloc.c:4373
#2  0x00007ffff6f027b4 in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4065
#3  0x0000000000482634 in js_calloc (bytes=28784) at ./dist/include/js/Utility.h:158
#4  0x00000000004826c4 in js::OffTheBooks::calloc_ (bytes=28784) at ./dist/include/js/Utility.h:572
#5  0x000000000075a4a0 in js::mjit::FrameState::pushActiveFrame (this=0x7fffffff8b70, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/FrameState.cpp:65
#6  0x000000000071b03c in js::mjit::Compiler::pushActiveFrame (this=0x7fffffff8440, script=0x7ffff6107790, argc=0) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:423
#7  0x000000000071b4f6 in js::mjit::Compiler::performCompilation (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:506
#8  0x000000000071a1e4 in js::mjit::Compiler::compile (this=0x7fffffff8440) at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:112
#9  0x000000000071d760 in js::mjit::CanMethodJIT (cx=0xc08c20, script=0x7ffff6107790, pc=0xc1e32d "m", <incomplete sequence \326>, construct=false, request=js::mjit::CompileRequest_Interpreter)
    at /srv/repos/mozilla-central/js/src/methodjit/Compiler.cpp:975


In opt-builds I've seen glibc aborts which are likely due to the same issue. Assuming s-s and sec-critical due to memory corruption.
Comment 1 Brian Hackett (:bhackett) 2012-06-02 20:57:46 PDT
Created attachment 629551 [details] [diff] [review]
patch

The array of JITScripts now attached to scripts could be freed by a GC under MakeJITScript.  We were already watching for the GC, just not at an early enough point.  Regression from bug 758613 so only Fx 15 is affected.
Comment 2 Christian Holler (:decoder) 2012-06-03 08:05:30 PDT
Saw this in the fuzzer also crashing [@ js::ShapeTable::search], linking for crashstats.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2012-06-04 16:00:05 PDT
*** Bug 761396 has been marked as a duplicate of this bug. ***
Comment 4 neil@parkwaycc.co.uk 2012-06-05 06:33:01 PDT
https://hg.mozilla.org/mozilla-central/rev/0a4ce45a4d40
Comment 5 Christian Holler (:decoder) 2012-06-05 07:16:16 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 6 Brian Hackett (:bhackett) 2012-06-22 15:06:07 PDT
Comment on attachment 629551 [details] [diff] [review]
patch

This just missed the last cutoff it looks like, needs Aurora uplift but doesn't affect Beta.
Comment 7 Brian Hackett (:bhackett) 2012-06-27 08:26:32 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/90c5403757a7
Comment 8 Christian Holler (:decoder) 2013-01-19 14:13:16 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.