762936 – IonMonkey: Crash on heap, trying to execute invalid address from [@ js::gc::Arena::finalize]

Last Comment Bug 762936 - IonMonkey: Crash on heap, trying to execute invalid address from [@ js::gc::Arena::finalize]


Summary:	IonMonkey: Crash on heap, trying to execute invalid address from [@ js::gc::A...

Status:	VERIFIED FIXED
Whiteboard:	[jsbugmon:update]
Keywords:	crash, sec-critical, testcase

Product:	Core
Classification:	Components
Component:	JavaScript Engine (show other bugs)
Version:	Other Branch
Platform:	x86 Linux

Importance:	-- major (vote)
Target Milestone:	---
Assigned To:	general
QA Contact:
Mentors:

URL:

Duplicates:	762907 762923 762984 763112 763121 763440 (view as bug list)
Depends on:
Blocks:	langfuzz IonFuzz
	Show dependency tree / graph

Reported:

2012-06-08 08:41 PDT by Christian Holler (:decoder)

Modified:

2013-02-04 14:08 PST (History)

CC List:

7 users (show)

Flags:

choller: in‑testsuite-

See Also:

Crash Signature:

(edit)

[@ js::gc::Arena::finalize ]

QA Whiteboard:

Iteration:

---

Points:

---

Has Regression Range:

---

Has STR:

---

Tracking Flags:

Attachments
fix (872 bytes, patch) 2012-06-11 17:43 PDT, Sean Stangl [:sstangl]	dvander: review+	Details \| Diff \| Splinter Review
View All Add an attachment (proposed patch, testcase, etc.)

Description

Christian Holler (:decoder) 2012-06-08 08:41:55 PDT

The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager):


gcPreserveCode()
options("allow_xml");
function TestCase(n, d, e, a) {}
function reportCompare(expected, actual, description) {
    new TestCase
}
var actual = '';
var expect = '';
for (var i = 0; i < 2; ++i)
  reportCompare(expect, actual, ': 2');
gczeal(2);
var summary = 'brian loves eval(s, o)';
isXMLName  = 'locallocal';
eval("", {});
reportCompare(expect, actual, summary);

Comment 1

Christian Holler (:decoder) 2012-06-08 08:44:00 PDT

Crash info:

==11650== Jump to the invalid address stated on the next line
==11650==    at 0xFFF: ???
==11650==    by 0x811B088: bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) (jsgc.cpp:303)
==11650==    by 0x8116DD1: void js::gc::FinalizeTypedArenas<JSObject>(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:350)
==11650==    by 0x810B1CC: js::gc::FinalizeArenas(js::FreeOp*, js::gc::ArenaLists::ArenaList*, js::gc::AllocKind) (jsgc.cpp:390)
==11650==    by 0x810DE34: js::gc::ArenaLists::finalizeNow(js::FreeOp*, js::gc::AllocKind) (jsgc.cpp:1495)
==11650==    by 0x810DF6D: js::gc::ArenaLists::finalizeObjects(js::FreeOp*) (jsgc.cpp:1598)
==11650==    by 0x8112A70: SweepPhase(JSRuntime*, js::JSGCInvocationKind, bool*) (jsgc.cpp:3333)
==11650==    by 0x8114277: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind) (jsgc.cpp:3770)
==11650==    by 0x81146C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3866)
==11650==    by 0x811485B: js::GC(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3890)
==11650==    by 0x80D0979: js::DestroyContext(JSContext*, js::DestroyContextMode) (jscntxt.cpp:319)
==11650==    by 0x8087AB0: JS_DestroyContext (jsapi.cpp:1182)
==11650==  Address 0xfff is not stack'd, malloc'd or (recently) free'd


The address I saw varied, it wasn't fixed to 0xfff, therefore s-s.

Comment 2

Christian Holler (:decoder) 2012-06-08 09:05:32 PDT

In fact, I just got another test where it jumps to 0xdadadada. That sounds very easy to exploit :(

Comment 3

Sean Stangl [:sstangl] 2012-06-11 17:43:57 PDT

Created attachment 632086 [details] [diff] [review]
fix

After hours of debugging, I'm far too sober for this patch.

Comment 4

Sean Stangl [:sstangl] 2012-06-11 17:53:20 PDT

http://hg.mozilla.org/projects/ionmonkey/rev/3dc37e74fdf0

Comment 5

Sean Stangl [:sstangl] 2012-06-11 17:54:58 PDT

*** Bug 763440 has been marked as a duplicate of this bug. ***

Comment 6

Sean Stangl [:sstangl] 2012-06-11 17:56:22 PDT

*** Bug 762984 has been marked as a duplicate of this bug. ***

Comment 7

Sean Stangl [:sstangl] 2012-06-11 17:58:09 PDT

*** Bug 762907 has been marked as a duplicate of this bug. ***

Comment 8

Sean Stangl [:sstangl] 2012-06-11 18:03:58 PDT

*** Bug 762923 has been marked as a duplicate of this bug. ***

Comment 9

Christian Holler (:decoder) 2012-06-11 18:37:46 PDT

JSBugMon: This bug has been automatically verified fixed.

Comment 10

Sean Stangl [:sstangl] 2012-06-12 16:28:40 PDT

*** Bug 763112 has been marked as a duplicate of this bug. ***

Comment 11

David Anderson [:dvander] 2012-07-02 15:21:30 PDT

*** Bug 763121 has been marked as a duplicate of this bug. ***

Comment 12

Christian Holler (:decoder) 2013-02-04 14:08:08 PST

E4X has been removed, so we won't add the test.

Note You need to log in before you can comment on or make changes to this bug.