Closed Bug 914174 Opened 6 years ago Closed 6 years ago

ASan: JS Standalone builds don't have allow_user_segv_handler set

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: decoder, Assigned: decoder)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, sec-want, testcase, Whiteboard: [jsbugmon:ignore])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision c7cc85e13f7a (run with --fuzzing-safe --ion-eager):


for (i=0; i<24; i++)
var fu=new Function();
timeout(1);
evaluate("for (var $2 = y = this ; i < 1000; i-- ) {}");
I assume this test doesn't reproduce on any other build than my optimized 64-bit ASan build because it depends on interrupting script execution at the right spot (using timeout). I was able to get this trace:


==29165==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb0764d2b13 (pc 0x000000beec7b sp 0x7fff13c18b30 bp 0x61900000b810 T0)
AddressSanitizer can not provide additional info.
    #0 0xbeec7a in JSC::X86Assembler::setInt32(void*, int) assembler/assembler/X86Assembler.h:3028
    #1 0xe095e2 in js::jit::InterruptCheck(JSContext*) jit/VMFunctions.cpp:436
    #2 0x7ff9a358fbb0 (+0xdbb0)


Jandem suggests this might be related to a change bhackett did recently to the ion interrupt mechanism. Marking this s-s because this crashes while trying to access an invalid address.

In general it would be really nice if there would be better functions to reliably reproduce/find these issues, rather than timeout.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:ignore]
Solved this one... the problem is not in the JS engine, but rather this was regressed by me in bug 898230. It seems that for standalone js shell builds, mozglue is not involved and therefore, the required ASan option isn't set.
Group: core-security
Flags: needinfo?(bhackett1024)
I talked to glandium and although mozglue not being used for standalone JS builds is a bug, he agrees that it is easier now to fix it by adding code guarded by JS_STANDALONE back into the js engine.

Patch for that will be up soon.
Keywords: sec-want
Summary: Crash [@ JSC::X86Assembler::setInt32] with timeout (reproduces only cleanly on ASan) → ASan: JS Standalone builds don't have allow_user_segv_handler set
Tested with a JS standalone build, as well as a browser build.
Assignee: general → choller
Status: NEW → ASSIGNED
Attachment #802371 - Flags: review?(luke)
Comment on attachment 802371 [details] [diff] [review]
asan-js-standalone.patch

Review of attachment 802371 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/AsmJSSignalHandlers.cpp
@@ +1034,5 @@
>  #endif
>  }
> +
> +#ifdef MOZ_ASAN
> +#ifdef JS_STANDALONE

#if defined(MOZ_ASAN) && defined(JS_STANDALONE)
Attachment #802371 - Flags: review?(luke) → review+
Accidentially pushed the patch without the review change, here's the follow up push with nit fixed:

https://hg.mozilla.org/integration/mozilla-inbound/rev/1a413186fb49
https://hg.mozilla.org/mozilla-central/rev/4f3fe05d6dc8
https://hg.mozilla.org/mozilla-central/rev/3116abfc2f95
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.