Closed Bug 768436 Opened 10 years ago Closed 10 years ago

IonMonkey: Crash [@ JSScript::hasAnalysis] with use-after-free

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: crash, csectype-uaf, testcase, Whiteboard: [jsbugmon:update][fuzzblocker])

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on ionmonkey revision 80a4e5dfeaaf (run with --ion -n -m --ion-eager):


new ({});
Crash trace:


==12410== Invalid read of size 4
==12410==    at 0x8122466: JSScript::hasAnalysis() (jsinferinlines.h:1470)
==12410==    by 0x849EA30: js::ion::ShouldMonitorReturnType(JSFunction*) (VMFunctions.cpp:60)
==12410==    by 0x849EB22: js::ion::InvokeConstructorFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:93)
==12410==    by 0x78B534C: ???
==12410==    by 0x840C2CA: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1112)
==12410==    by 0x840C53C: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1143)
==12410==    by 0x814C794: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:263)
==12410==    by 0x814D3CC: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==12410==    by 0x814D60A: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==12410==    by 0x808F4F1: JS_ExecuteScript (jsapi.cpp:5370)
==12410==    by 0x804FB01: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:440)
==12410==    by 0x805AB43: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4832)
==12410==  Address 0xdadadb02 is not stack'd, malloc'd or (recently) free'd


Jandem says this was caused by bug 766011.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzblocker]
Attached patch Patch (obsolete) — Splinter Review
Taking this fuzz blocker, we need to check if the callee is a function.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #636693 - Flags: review?(dvander)
Attached patch PatchSplinter Review
Attachment #636693 - Attachment is obsolete: true
Attachment #636693 - Flags: review?(dvander)
Attachment #636706 - Flags: review?(dvander)
Comment on attachment 636706 [details] [diff] [review]
Patch

Review of attachment 636706 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for the quick fix - could we add a test case for this?
Attachment #636706 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/bd0eba3ea397

(In reply to David Anderson [:dvander] from comment #4)
>
> Thanks for the quick fix - could we add a test case for this?

Hrm I forgot to qref it, pushed with that fixed.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug768436.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.